Linux virtual web server hit by "extremely serious" backdoor password

Linux virtual web server, once touted as the most secure operating system available, has been hit by revelations that it contains an "extremely serious" security flaw.

Red Hat's distribution of Piranha Linux Virtual Server (LVS) software contains a backdoor password, which may allow remote execution of commands on the server.

Piranha contains the LVS software and is equipped with a web-based GUI front-end and monitoring and fail over components. It is widely deployed in e-business back-end infrastructures.

Security vendor ISS discovered the backdoor password in the GUI portion of Piranha allowing backdoor connections from remote and local users.

This could be exploited to change LVS parameters and execute arbitrary commands with the same access level as an administrator. It also allows access to the web pages on the server.

ISS said that the latest version of Red Hat Linux is affected, as is version 6.2 when combined with the latest version of Piranha GUI 0.4.12.

The vulnerability remains even if the LVS service is not actually used on the web server.

Kevin Black, security analyst at ISS, said that the vulnerability was extremely serious because it compromised whole systems and offered a springboard into the rest of the network. "Red Hat is being deployed in corporate environments more and more and security issues are few and far between, but it would still benefit from a more regular upgrade environment," said Black.

Red Hat has posted updated versions of the affected Piranha, Piranha-doc and Piranha-GUI packages on its website. These have been modified to remove the flaw and the password allowing arbitrary command execution.

After applying the patch, users should log into the GUI and set a new password to secure the remote access system.

ftp://updates.redhat.com/6.2.