[Vulnerability] VM created with Debian 10 template from TDN may be compromised via user debianuser

Have more questions? Submit a request

Applicable to:

  • SolusVM

Situation

Note: The situation is actual for the Debian 10 KVM templates downloaded from TDN earlier than Feb 3, 2021 03:30 am(UTC).

VM created with the affected templates may be compromised via user debianuser. The debianuser can run cnrig process, which is related to CryptoNight malware.

Impact

VPS compromising.

Call to Action

For new VPSes

Re-download the template on SolusVM master and slave nodes:

# wget https://templates.solusvm.com/kvm/linux-debian-10-x86_64-gen2-v2.gz -O /home/solusvm/kvm/template/linux-debian-10-x86_64-gen2-v2.gz
# wget https://templates.solusvm.com/kvm/linux-debian-10-x86_64-gen2-v1.gz -O /home/solusvm/kvm/template/linux-debian-10-x86_64-gen2-v1.gz

For existing VPSes

The best practice is to migrate the data to another VPS. If the migration is not the option remove the user debianuser, setup SSH key authentication and disable password authentication:

  1. Connect to a Debian 10 VPS via SSH
  2. Remove debianuser user:

    # deluser --remove-all-files debianuser

  3. Create SSH key pair for SSH access using this article: 
    https://medium.com/risan/upgrade-your-ssh-key-to-ed25519-c6e8d60d3c54
  4. Disable PasswordAuthentication in /etc/ssh/sshd_config and restart SSH:

    # service ssh restart

  5. Double-check that you can still get in (open a new session and test it out) before you exit your active SSH session

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.