Yesterday, Yevgeny Pats of Perception Point security announced publicly a local privilege escalation vulnerability in the Linux kernel, which has been given the code CVE-2016-0728. Most Linux systems had this vulnerability.
Using his code, an attacker who could run programs on a vulnerable system as a non-root user could either crash it, or become the root user. Letting other people – you, our users – run code on our servers is what PythonAnywhere is all about :-) But, of course, when you run code, it’s not as the root user. If someone managed to become root on a PythonAnywhere server, there’s a possibility that they would be able to see other people’s stuff – though, because of our sandboxing system, they’d need to make use of further vulnerabilities to do that, and we’re not aware of any such vulnerabilities. (To put it another way – your code is running in a sandbox. If you’d managed to become root, you’d still be in the sandbox. We don’t think that even root could escape our sandbox.)
Perception Point had practiced responsible disclosure of this vulnerability, so when they published their notes on it publicly, the various Linux distributions had known about it for a few days, and had patches available. We immediately applied these patches, and as of 10pm UTC yesterday, all PythonAnywhere servers on which you can execute code – the ones used for consoles, web apps, and for scheduled tasks – were running kernel version 3.13.0-76, which Ubuntu released to patch this specific problem.
As an aside, we’ve also attempted to exploit this vulnerability in our own test instances of PythonAnywhere, and on a number of virtual machines, in order to understand it better. We were not able to use it to become root, although we were able to crash some of the VMs. This makes a certain amount of sense – we believe that the vulnerability does not always work, and when it fails, it can crash the kernel. As we were able to crash VMs several times, but not get to root, it seems that crashes outnumber privilege escalation. So we’d expect that if someone had been trying to use it on PythonAnywhere before it was announced, we’d have seen a number of inexplicable crashes of our console servers’ operating systems (which would be the most likely place for someone to run it). We haven’t noticed anything like that recently. So while that doesn’t prove anything definitively, it’s a comforting indicator.