According to a German IT service provider, users running 1&1 servers with openSUSE 11 as their distribution should check the version number of their Linux kernel. In order to guarantee full support for the hardware it uses, for openSUSE, 1&1 installs its own homemade kernel. Unfortunately this kernel disables the YAST auto-update function, with the result that, despite regular updates, the kernel (126.96.36.199) remains several months old – making it vulnerable to a range of root exploits involving null pointer dereference (NPD) and other vulnerabilities. Users relying on auto-updates could be in for an unpleasant surprise. At present it is not confirmed that this is also problem with 1&1 servers running English language versions of openSUSE, although it seems likely that it is.
IT services provider Markus Manze stumbled on the problem when compiling an overview of Linux distributions and the null pointer dereference bugs they contain. According to Manke’s German language report on the problem, in view of the availability of exploits, an unpatched kernel turns security vulnerabilities in other applications, such as web servers, PHP applications and other network services, into potentially system-compromising vulnerabilities. Furthermore, the mmap_min_addr system variable, which is able to frustrate NPD exploits, is set to 0 in openSUSE 11.0.
1&1 states that root server customers bear sole responsibility for administering their servers. Thomas Plünnecke, press spokesman for 1&1, has stated that the company merely guarantees that root servers are up-to-date from a technology and security point of view when first supplied. After delivery, it is down to the customer to ensure that the system is regularly updated. Unfortunately, the openSUSE configuration does not allow YAST auto-update functionality to be used to update the kernel. In a statement to heise Security, Plünnecke says that, “Because our root server products are aimed at professional users, it is assumed that users will be experienced in dealing with kernel updates. We do provide appropriate download options.”
Nevertheless, Plünnecke adds that the issue has prompted the company to take the opportunity to revise its documentation for the particular case of openSUSE 11 and to refer users to sources for up-to-date kernel files. To install an updated kernel, users need to download and compile the kernel source code and install the kernel image. Instructions for doing so can be found in the 1&1 help centre.