Category Archives: Servers & Network Announcements

CVE-2016-5195 (Dirty COW) – All Servers Protected

We are happy to announce that all of Aspiration Hosting’s servers are fully protected against the CVE-2016-5195 vulnerability, also known as Dirty COW (yes, we find the name silly too!).

Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel which can allow a local user (like a web hosting account) to gain root access to the server. The vulnerability is present in all major Linux Operating Systems and security researchers have detected in the wild (ITW) attacks even before security patches were released by the various OS.

Our servers were not affected by the ITW attacks and all servers has been patched with the latest security patches automatically (thanks to KernelCare).

To reiterate, there’s nothing that you will need to do on your end and all of your websites are automatically protected.

All Servers Protected from HTTPoxy Vulnerability

HTTPoxy

All of Aspiration Hosting’s servers are automatically protected from the HTTPoxy Vulnerability as of 16+ hours ago (July 18th 2016, 6.52pm EDT).

HTTPoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments which may allow an attacker to proxy outgoing HTTP requests made by your web application, API token disclosure, etc. Further explanation of this vulnerability can be found on the HTTPoxy website.

We managed to roll out protection in the shortest time possible thanks to LiteSpeed Web Server, which powers all of our servers.

To reiterate, there’s nothing that you will need to do on your end and all of your websites are automatically protected.

SSLv3 Disabled Due to POODLE Bug

Engineers at Google found a new vulnerability in SSL version 3.0 (SSLv3) and they call it POODLE (Padding Oracle On Downgraded Legacy Encryption). The vulnerability allows an attacker to add padding to a request in order to then calculate the plaintext of encryption using the SSLv3 protocol. Effectively, this allows an attacker to compromise the encryption when using the SSLv3 protocol. Full details have been published by Google in a paper.

Who does this affect?

SSLv3 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.

However, the only group of users who will be seriously affected by this bug is those who are still using Internet Explorer 6 on Windows XP (both are already at their End of Life).

According to CloudFlare, 0.09% of all traffic across their network is SSLv3. For HTTPS traffic, 0.65% across their network uses SSLv3. The good news is most of that traffic is actually attack traffic and some minor crawlers. For real visitor traffic, today 3.12% of CloudFlare’s total SSL traffic comes from Windows XP users. Of that, 1.12% Windows XP users connected using SSLv3. In other words, even on an out-of-date operating system, 98.88% Windows XP users connected using TLSv1.0+ — which is not vulnerable to this vulnerability.

Our Response

We will be disabling SSLv3 across all of our servers as this is a serious vulnerability with no patch in sight (as SSLv3 is very old) and most web browsers will be dropping support for SSLv3 after this POODLE incident anyway.

If you receive any complaints from your website visitors who are affected by the decision to disable SSLv3, we highly recommend that you suggest them to stop using Internet Explorer 6 and switch to a modern browser like Google Chrome, Mozilla Firefox, Safari and Opera.

For those of you who are not aware, even Microsoft is discouraging Windows XP users from using Internet Explorer 6 with their IE 6 Countdown website since the year 2011.

(Poodle image via Flickr, CC license.)

Heartbleed Bug Patched for All Servers

We are happy to announce that the Heartbleed Bug (CVE-2014-0160) is patched for all our servers which are vulnerable to it. Along with the patch we are required to perform a restart to services which are affected, including LiteSpeed Web Server, cPanel & WHM, Mail Services, FTP Services, etc and there was a brief service interruptions due to the restart.

Heartbleed

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed Bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

UPDATE: All server level certificates are reissued as well as a precautionary measure.

US Web Hosting Upgrade

Dear Clients,

This is a notification to let you know that we will be performing a complete upgrade for all US Web Hosting servers.

The upgrade will start from the end of April 2013.

The upgrade will involve server moves and as such slight downtime due to DNS propagation (for visitors who visited your website recently). For clients who are not using our nameservers for your domain, we suggest you to use them to minimize the downtime.

We will make further announcement on this in the coming days and weeks.

The aim of the upgrade is to achieve:-

– Performance Improvements

– Security Improvements

– Feature Improvements

Here are the major highlights of the upgrade:-

Solid State Drives (SSD)

We will be switching all Web Hosting servers from the current 15K SA-SCSI Hard Drives to the latest Solid State Drives (SSD), which will give a huge performance boost to your website.

CageFS

CageFS (by CloudLinux) is a virtualized file system which will isolate each hosting account to their own “cage” complete with their own file system, etc. This is a huge improvement to the security of our shared hosting platform as a client can no longer detect the presence of another client on the server.

PHP Selector

PHP Selector (by CloudLinux) allows you to choose your own PHP version and extension on a per-account basis. You can choose to use any of the available PHP versions including 5.2.x, 5.3.x and 5.4.x directly within your cPanel with us.

Percona MySQL

We will be replacing the regular MySQL (by Oracle) with Percona Server 5.5.x, which is a drop-in replacement for MySQL and it is 100% compatible with all current MySQL databases. Percona MySQL is more than 40% faster than MySQL which will give you better performance without sacrificing compatibility.

CDN Manager

As some of you may be aware, a very new version of cPanel broke the CDN Manager which is used to configure the CDN and purge the CDN cache. We are happy to say that the CDN Manager will work properly as soon as the upgrade is completed.

Lower Amount of Clients Per Server

Along with the upgrade, we will be reducing the number of clients per server and this will result in improved performance for you.

We hope you are as excited as us regarding this upgrade and we thank you for your patience and understanding for any inconvenience that may occur during the upgrade. .

Thank you.

Aspiration Hosting