This attack usually occurs after the attacker has been able to read the contents of the /etc/passwd file and has enumerated the server’s users.

The attacker then runs a script which blindly builds symbolic links (a bit like shortcuts on Windows or Aliases on a Mac) to locations where configuration files for commonly used CMS might be kept in each user’s home directory.

If you enable both of the configuration settings SymLinksIfOwnerMatch and FollowSymLinks, Apache will be vulnerable to a race condition through symlinks. This symlink vulnerability allows a malicious user to serve files from anywhere on a server that has not been protected by strict OS-level permissions.

symlink-attack

Use the following Solutions to prevent from Symlink attack valnurablities in cpanel

Filesystem-level solutions

Enable mod_ruid + jailshell for your apache webserver.

This option is very easy to enable. Simply recompile Apache and then enable Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell in Tweak Settings.

cageFS

CageFS is a virtualized file system and a set of tools to contain each user in its own ‘cage’. This option is available on all cPanel-supported platforms today, and it is already included with CloudLinux.

Kernel + Apache solutions

Kernel level protection, you can’t really get any better then this. Requires a custom kernel GRsec, etc., and the burden of maintaining and installing it.

Mod_hostinglimits securelinks with CloudLinux kernel

If you currently use CloudLinux, this option has already been installed. The directive will not affect VirtualHosts which do not have a specified user id.

Apache-level patches

Symlink Race Condition Patch Available Via EasyApache.

To help solve this issue, cPanel offers the option to apply a third-party patch (Bluehost.com) to Apache 2.X that will prevent the race condition.

To apply the patch, select Symlink Race Condition Protection from the Exhaustive Options list during the EasyApache build process.

Remember: By default, EasyApache does not apply this patch.
ALERT! Warning: This patch may slow the performance of high-traffic servers.
ALERT! Warning: If you already use a custom patch for the race condition (for example: FollowSymLinks_to_OwnerMatch.patch), you will need to either remove your custom patch or not enable the Symlink Race Condition Protection option in EasyApache.

 

3.67 avg. rating (80% score) - 3 votes
Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive