How to Upgrade An Unsupported OS: An In-depth Checklist

So, you have your shiny new Raspberry Pi, a great idea to use it, and the technical skill to pull it off successfully. It doesn’t matter if it’s as a network print server, a dedicated media center, a retro arcade cabinet or a home automation system. The Pi has you covered.

You configure it to your heart content, adjust every parameter and setting to squeeze out the performance you need, create your best invention. The Pi is foremost an enabling platform, letting you give free rein to your creativity.

And then you let your project run. After the initial set up and configuration, the Pi can be hidden away and forgotten, while it sits in your home network performing its function. And maybe you don’t follow IT security news, or miss a relevant vulnerability report amongst the flood of CVEs, or simply don’t think anyone would target your Pi to exploit any weaknesses. The thing is, hackers love this kind of device because they present an entry point into your network.

CloudLinux Enterprise services have been growing steadily for years now. KernelCare, for example, was launched around 6 years ago as a live patching tool for the Linux Kernel. Since then we have added several useful integrations for vulnerability scanners, automation tools and others, and we also released KernelCare+ which adds live patching for OpenSSL and glibc shared libraries.

Last year we also added Extended Lifecycle Support services that let you continue to receive security updates for your systems that are past their original vendor’s End-of-Life date. So if you need more time to migrate to current versions of your distro we can continue to provide patches and updates up to four years past the EOL date.

The KernelCare team is proud to announce the release of KernelCare 2.43-2, bringing new features and bug fixes to the enterprise’s live patching tool of choice. This follows the recent update to ePortal, and signals KernelCare’s continued commitment to support and maintain this important and widely used enterprise tool, giving users the confidence to continue to depend on it for their live patching needs.

Another vulnerability targeting the BPF subsystem has been disclosed publicly in the past few days (CVE-2021-29154). It allows users on a system running non-default configuration of the BPF subsystem to run specially crafted code as a BPF filter and run arbitrary executable code in the kernel context. 

According to vendors, it affects all distributions running kernels up to version 5.11.12. Distribution vendors are starting to deliver patches through their update mechanisms, and KernelCare is also finalizing patches for it’s rebootless patching process to address this issue.

When you see so many vulnerabilities being reported and so many security-related issues being exploited, you may think to yourself “I’m lucky not to be using that package or software, I’m not vulnerable to this”. 

Shortly after exploit code was found in a public repository, two new vulnerabilities (CVE-2020-27170 and CVE-2020-27171) have been found in the Linux Kernel code that protects against it.

Both vulnerabilities allow a local user to read kernel memory which could contain sensitive information like encryption keys. Proof-of-concept code has also been made available privately, but it is safe to assume it will eventually reach public outlets.

Very recently, a long-known vulnerability called Spectre re-emerged due to an exploit that was made available publicly, and a lack of patching meant that this well known vulnerability poses a danger again.

And, yet again, something similar happened. This time, security researchers found three critical bugs in 15-year-old Linux kernel code. Code this old should have been thoroughly scrutinized for bugs by now – and it is anybody’s guess how often these vulnerabilities have been exploited by malicious actors in the meantime.

Patches have now been released for CentOS 8, Oracle EL8, RHEL8, CloudLinux 7h, CloudLinux 8, AlmaLinux OS, Ubuntu Bionic HWE, Debian 10, Debian 10 Cloud, Debian 9 Backports and Proxmox VE6.

Additionally, patches are now also available for CloudLinux 6h, CloudLinux 7, CentOS 7, CentOS 7-plus, Oracle EL7, and RHEL 7.

In this article, we outline the three vulnerabilities just discovered, explain why open-source code is not always scrutinized as well as it should be (or by the right people), and point to the importance of patching consistently.

Billions of IoT devices are transforming the capabilities of industrial control systems (ICS): delivering low cost, low power computing to achieve efficiency and automation. But the unique characteristics of these devices can also turn ICS into somewhat of a management and security headache.

As always, tools emerge to relieve these challenges – for example, take Microsoft Azure IoT Hub. It is common for IoT devices to proliferate and it makes tracking and managing IoT devices very challenging. Azure IoT Hub is a tool that helps organizations to catalog, manage and integrate large fleets of IoT devices.

Similarly, managing security patching across large IoT networks can be difficult – devices in ICS environments may be air-gapped and require 100% service availability. KernelCare live patching for IoT can help solve these challenges.

Today, we’re delighted to announce that KernelCare for IoT now fully integrates with Device Update for IoT Hub from Microsoft, which is currently in preview in select Azure regions. Let’s take a look.

KernelCare is a solution to the problem of applying patches in a timely manner and keeping your system running without disruption, but sometimes you have to replace a server or migrate the service to another system. This short guide will show you how to move your KernelCare license to the new server.