The latest insights from the load balancing experts | Loadbalancer.org

Stack Clash and Loadbalancer.org

/ 2 min read / Security

Background

I was reading about the Stack Clash vulnerability last night and it seems that this is something which has been around before, been fixed twice and then another method to trigger the exploit has been identified but as it has been rated 'Important' I thought I'd write a blog about it. As with most aspects of security, it's a game of 'cat and mouse' and the goal is always a moving target!

The long and short of it is, there are updates to the Linux kernel and glibc packages which will 'fix' the issue. On the Loadbalancer.org appliance, we have a custom compiled kernel and so this is not likely to be 'fixed' until the next release where we're moving to a newer kernel anyway. Should you wish to update the glibc package then this can be done by executing the following command on your Loadbalancer.org appliances. :

yum update glibc

The reason for the quotes and the generally relaxed approach to the situation is simple; this exploit relates to privilege escalation (i.e. giving a standard user account root level access) which is a moot point on the Loadbalancer.org appliance as the default configuration is with full root level privileges. At present, the only successful proof of concept exploit implementations for this advisory have been locally executed (i.e. on the box) and if this is the case and you find yourself in this situation, then there are probably many other questions to be answering first! As far as I am aware, there have not been any successful remote access attempts to exploit this situation, or at least any situations.

Resolution

You can update the glibc package on your Loadbalancer.org appliances and when the new update is available (v8.2.6), it will contain a new kernel which should be patched against this exploit. We always advise customers to change their passwords & SSH keys from the defaults and where feasible, use iptables to control access to their load balancer - all of these things can be achieved using the "lbsecure" tool. Similar to keeping warm in the winter, security is best achieved with layers and if there is any potential that the load balancer can be accessed remotely, ensure your perimeter firewall is suitably configured to your requirements.

If there are any questions, please contact our support team and our engineers will be happy to help!

References

Found in

Security

About the author

Dave Saunders-profile-image
Dave Saunders

Having previously worked as a system administrator at IBM for over 12 years, maintaining infrastructure used by a global team, Dave joined the Loadbalancer.org support team to further develop his skillset and gain experience of varied customer environments.

Read More

Related posts

HAProxy
HAProxy
How to tackle bugs and vulnerabilities – a solutions architect’s opinion Himakshi Goswami
Dealing with bugs and vulnerabilities is quite common in the tech space. Aaron West, the head of Solutions at Loadbalancer.org shares some insights about our approach of tackling such issues, and more.

9 min read

Read more
Security
Security
Healthcare IT should listen to Amazon's Werner Vogels: “Dance Like Nobody’s Watching. Encrypt Like Everyone Is” Aaron West
Find out why Werner Vogels' comments ring especially true for healthcare data.

5 min read

Read more
Reviews and Comparisons
Reviews and Comparisons
Kemp Technologies vs F5 — a refreshingly honest load balancer comparison Richard Halcrow
If you are trying to decide which load balancer product is right for your business, you’ve probably already discovered that it’s a market of two extremes. There are load balancers with very low

4 min read

Read more

Get started

Get in touch

Start a conversation about the right solution for your business.

Get in touch

Create your quote

Transparent pricing you can see straight away.

Create your quote

Download now

Try us free for 30 days – see why our customers love us.

Download now