BitFolk Announcements April 2017

announce@mailman.bitfolk.com

1 participants
3 discussions

Upcoming reboot for security patches XSA-213 and XSA-215

by Andy Smith

Hi, Two bugs¹ have been discovered in Xen which have serious security implications, therefore we must patch and reboot every host before the security advisory comes out of embargo at 12:00Z on 2 May. We'll be sending out notifications shortly to let you know the exact window in which the reboot will take place for your VPS(es), but this is just a short note to let you know that the work will most likely be taking place in the early hours (UK) of 30 April, 1 May and 2 May. A reminder that if you wish you can have your VPS suspended to and then restored from storage, instead of shut down and booted: https://panel.bitfolk.com/account/config/#prefs https://tools.bitfolk.com/wiki/Suspend_and_restore Cheers, Andy ¹ XSA-213 and XSA-215 - http://xenbits.xen.org/xsa/ -- https://bitfolk.com/ -- No-nonsense VPS hosting

7 years, 6 months

Serious Cross-Site Request Forgery (CSRF) problems have been fixed on the BitFolk Panel

by Andy Smith

Hi, Approximately 8 hours ago we were made aware that Cross-Site Request Forgery (CSRF) could be used to trick a logged-in user of the BitFolk Panel at https://panel.bitfolk.com/ into carrying out changes that could allow their account to be compromised. As there was no checking that requests actually came from forms generated on the panel site, if a logged-in user was tricked into submitting an HTTP request from elsewhere then they could change sensitive details about their account such as: - Adding SSH keys for console access - Altering contact email address - Invalidating/Disabling two factor authentication - Enabling email password reset, if it was disabled We have no evidence that any of these actions have ever been carried out maliciously, but aside from reports we would have no way of knowing, so we would advise that all customers log in to their Panel account and check that the list of SSH keys is as they expect. All of the forms on the sensitive pages, which include everything under: * https://panel.bitfolk.com/account/security/ * https://panel.bitfolk.com/account/contacts/ were today secured against CSRF so there is now no way to use this technique to compromise an account. The vulnerability would have been there ever since the Panel site existed, or the relevant features were added. The remaining forms, which only cover fairly trivial informational items, will be fixed as soon as possible. You can track that work at our tracker: * https://tools.bitfolk.com/redmine/issues/156 Thanks must go to Dominic Cleal <https://m0dlx.com/> who responsibly disclosed the problem to us today and has assisted with testing of our fixes. More general information about CSRF: * https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) If you have any further questions please do let us know by replying to the users list (users(a)lists.bitfolk.com) or to support(a)bitfolk.com if you need to discuss anything specific to your account. Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting

7 years, 7 months

Upcoming reboot for security patch, XSA-212

by Andy Smith

Hi, A bug¹ has been discovered in Xen which has serious security implications, therefore we must patch and reboot every host before the security advisor comes out of embargo on 4 April. We'll be sending out notifications shortly to let you know the exact window in which the reboot will take place for your VPS(es), but this is just a short note to let you know that the work will most likely be taking place in the early hours (UK) of 30 March, 31 March and 1 April. A reminder that if you wish you can have your VPS suspended to and then restored from storage, instead of shut down and booted: https://panel.bitfolk.com/account/config/#prefs https://tools.bitfolk.com/wiki/Suspend_and_restore Cheers, Andy ¹ XSA-212 - http://xenbits.xen.org/xsa/ -- https://bitfolk.com/ -- No-nonsense VPS hosting

7 years, 7 months

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

BitFolk Announcements April 2017