DescriptionA Linux kernel vulnerability (CVE-2013-2094) that may allow local users to gain root privileges (0-day exploit) was recently identified.
Affected ProductsParallels Virtuozzo Containers for Linux v4.7, Parallels Server Bare Metal v5.0, and Parallels Cloud Server v6.0 products are affected by this vulnerability. Parallels ships its own Linux kernel as part of these products.
This vulnerability may also affect other Linux hosts, such as hosts running RedHat, CentOS, Debian, and other Linux distributions. Please refer to the “Other Useful Links” section below.
NOTE: Parallels Virtuozzo Containers for Linux v4.0 and 4.6 are NOT affected.
Impact- Privileges escalation: any local user can gain root privileges.
- Exploit is available in the wild.
Pre-requirements for exploiting the issue- Local user account is required (no remote attack).
RecommendationsAll customers are highly recommended to update the kernel for Parallels products as soon as possible to Parallels kernel version 2.6.32-042stab076.8 or later for PVC, PSBM, and PCS products.
Customers should update the kernel for other Linux hosts as soon as it is available from the vendor.
- RedHat for RedHat Enterprise Linux (update from Redhat is pending)
- Other Linux vendors
Links to Parallels UpdatesUpdates for affected Parallels products are available at the following links:
Parallels Virtuozzo Containers for Linux 4.7 http://kb.sp.parallels.com/en/116084
Parallels Server Bare Metal 5.0 http://kb.sp.parallels.com/en/116085
Parallels Cloud Server 6.0 http://kb.sp.parallels.com/en/116087
Parallels Plesk Panel http://kb.sp.parallels.com/en/116126
Other useful links
* Vulnerability ID: CVE-2013-2094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2094
* RHEL 6.x Advisory https://rhn.redhat.com/errata/RHSA-2013-0830.html
* Fedora bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=962799
* Debian http://www.debian.org/security/2013/dsa-2669