The majority of this blog post is related to Linux, but there is also an advisory regarding IIS 6.0 on Windows Server 2003 R2.

First to Linux: A kernel issue was discovered two years ago, identified as CVE-2017-1000253* by Google researcher Michael Davidson in April 2015. It was not considered serious, and as such, a patch for this flaw had not been released until now. Why now? Qualys Research Labs have found the vulnerability can be exploited as below:

Linux distributions that have not patched their long-term kernels with https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (committed on 14 April 2015) are vulnerable to CVE-2017-1000253, a Local Privilege Escalation.

Most notably, all versions of CentOS 7 before 1708 (released on 13 September 2017), all versions of Red Hat Enterprise Linux 7 before 7.4 (released on 1 August 2017), and all versions of CentOS 6 and Red Hat Enterprise Linux 6 are exploitable.

The full advisory from Qualys can be found here: https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-1000253.txt

Now on to Windows Server 2003 R2. Not much of this around? From 14 July 2015, this version is no longer receiving security updates and as such is vulnerable to any flaws found since that date. According to Grantek: https://grantek.com/windows-server-2003-still-alive-but-not-well/

There are still around 600,000 IIS 6.0 web servers on 2003 out there facing the Internet, with a vulnerability which allows cybercriminals to generate Monero cryptocoins on these vulnerable servers. The vulnerability CVE-2017-1769 was discovered by Zhiniang Peng and Chen Wu in March 2017. The only solution? Upgrade to a supported version of Windows Server, and patch frequently!

*CVE is the abbreviation for Common Vulnerabilities and Exposures.

Stay safe, Terry Griffin

DDLS Principal Technologist: Security



Feature Articles


eBook
Drive Innovation with IT Service Management Training
11 December 2023
eBook
Get your teams up-to-speed with ITIL® 4
22 May 2024
eBook
Elevate your business and career to new heights
22 May 2024
Blog
The Philippines' National Cyber Security Plan 2023-2028: Roadmap to Cyberspace Resilience
By Justin Luna | 28 August 2024
Blog
2024-2025 Government Budget: Focusing investment in cyber security skilling
By Jeremy Daly | 1 July 2024
Read