How affected is a typical ISPConfig 3 installation by the recent Dirty Frag/Fragnesia derivatives?

Discussion in 'ISPConfig 3 Priority Support' started by curiousadmin, May 16, 2026.

Tags:
  1. curiousadmin

    curiousadmin Member HowtoForge Supporter

    Hi,

    I was wondering how badly affected is ISPConfig 3 by the recent Dirty Frag/Fragnesia derivatives.
    The vulnerabilities came out of nowhere (no fix before disclosure) and Ubuntu update servers were down for some time during that critical moment.

    0) Let's assume the typical "Perfect server", that is regularly updated and is running Ubuntu 24.04 with: Apache, PHP, MariaDB, PureFTPD, BIND, Postfix, Dovecot and ISPConfig 3 and we can also assume no "other" SSH users with non-root privileges.

    1) My understanding is that each of those processes (Apache, Postifx, Dovecot) has its separate "user" under which it runs its tasks (not root).

    2) So how likely is that a server running ISPConfig was compromised through combined vulnerability found in say Apache or Postfix and escalating into granted root privileges therefore taking the server over?

    3) How to check if the server was compromised? What actions did you take regarding this? I don't think logs will be useful, somebody having root access would just delete those.

    Further reading for those unaware:
    Attack knocks Ubuntu websites, services and Snap store offline
    https://www.omgubuntu.co.uk/2026/05/ubuntu-websites-ddos-attack

    Dirty Frag Vulnerability Made Public Early: Root Privilege On All Distributions
    https://www.phoronix.com/news/Dirty-Frag-Linux

    Fragnesia Made Public As Latest Linux Local Privilege Escalation Vulnerability
    https://www.phoronix.com/news/Linux-Fragnesia

    new one: Linux's Latest Vulnerability Allows Reading Root-Owned Files By Unprivileged Users:
    https://www.phoronix.com/news/Linux-ssh-keysign-pwn
     
    curiousadmin, May 16, 2026
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I would say not more or less than any other Linux software. Nothing in these vulnerabilities is ISPConfig-specific or will affect ISPConfig servers more than servers without ISPConfig.

    Take care to update your system regularly, look out for security notices by the Linux distributions or Linux news sites, and update your systems immediately. The huge benefit of ISPConfig is that it uses system packages for all services, so you do not depend on us to release any updates or fixes for these general Linux issues; just take care to install updates immediately when they become available.

    And as you mentioned, ISPConfig already uses user separation for all services and even user separation for websites.

    If your system has been compromised, its probably not that easy to track.
     
    till, May 16, 2026
    #2
  3. curiousadmin

    curiousadmin Member HowtoForge Supporter

    Thank you for the quick followup.

    So did you or your team took any extra measures beyond update fast and backup regularly?
     
    curiousadmin, May 17, 2026
    #3
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    We blocked the Kernel modules until the Kernel updates were available, so systems were safe until the distributions shipped the update, and then installed the updates as soon as they were available. As I mentioned above, these were general Linux Kernel problems affecting any Linux system, so nothing specific to ISPConfig. Also, the first link you posted is not even a Linux vulnerability; it was just an outage of the Ubuntu repo servers.
     
    till, May 17, 2026
    #4

Share This Page