SANS Stormcast Monday, May 11th, 2026: New Linux Priv Escalation; PAM Backdoors; CPanel Updates; Let’s Encrypt - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary4 min read

SANS Stormcast – May 11, 2026

Host: Johannes B. Ullrich
Main Theme: Rapid-fire updates on newly disclosed Linux privilege escalation, PAM backdoors, cPanel security fixes, and Let’s Encrypt certificate issues.

Episode Overview

This episode delivers a concise yet comprehensive briefing on several late-breaking security issues relevant to sysadmins, Linux users, and certificate managers. Johannes focuses on a critical new Linux kernel vulnerability (“dirty frag”), the continued risk of PAM backdoors, ongoing cPanel patching, and a Let’s Encrypt service disruption with important context for users.

Key Discussion Points & Insights

1. New Linux Privilege Escalation Vulnerability – “Dirty Frag”

Background:
- Another major Linux privilege escalation flaw has been identified, affecting nearly every Linux distribution released since 2017.
- Quote:
  
  “We now have a second Linux privilege escalation vulnerability that again affects pretty much any Linux distribution out there going back to 2017, so about nine years back, which pretty much covers everything at this point.” (01:00)
Vulnerability Details:
- Similarities with the earlier “Copy Fail” bug
- Involves two vulnerable kernel modules:
  - RPCRX: Used for some filesystems (e.g., AFS)
  - ESP4/ESP6: Part of the IPsec protocol
- Both modules must be present on the system to exploit the vulnerability.
Mitigation Recommendations:
- Preferably unload/disable the ESP modules if not using IPsec (VPNs that don’t use IPsec aren't affected here).
- RPCRX module may be more difficult to assess depending on system use.
- Quote:
  
  “Always reduce your attack surface if you don’t use IPsec.” (03:05)

2. PAM Backdoors – Ongoing Risk

Blog Post Discussion:
- Researchers at Flare have highlighted once again that Linux Pluggable Authentication Modules (PAM) can be leveraged to introduce backdoors.
- No fundamentally new technique, but a valuable reminder of this threat vector.
Attacker Techniques:
- On gaining root, attackers can modify PAM drivers or configs to:
  - Install backdoor access
  - Capture credentials (e.g., SSH passwords)
- Quote:
  
  “This may certainly be a point to attack once you have root access to a system where you are modifying some of the pam drivers or even just the configurations to either introduce backdoors or...capture SSH passwords.” (03:35)
- SSH secret key authentication is not susceptible to credential capture via PAM manipulation, but backdoors still possible.
Detection Emphasis:
- Backdoors can be difficult to detect unless specifically looking for tampered PAM modules.
- The referenced blog post also discusses detection strategies.

3. cPanel Updates

Security Fixes:
- Following previous cPanel vulnerabilities and active exploitation, late last week three new vulnerabilities were patched.
- The worst—an arbitrary code execution flaw—requires significant privileges for exploitation.
- While urgent patching is less critical than during the earlier major exploit, all users are advised to ensure cPanel is updated—ideally via automation.
- Quote:
  
  “Probably another opportunity to make sure that you are patching cPanel if you’re using the software and if possible have that somehow automated…” (05:05)

4. Let’s Encrypt Certificate Issuance Interruption

Incident Overview:
- On Friday, Let’s Encrypt paused issuing new certificates due to a “potential incident.”
  - The term typically hints at a possible breach, but in this case, there was no evidence for that.
- Reason: Migration from “generation X” to “generation Y” signing certs; cross-signing process issues caused the pause.
Impact:
- Only short-lived, experimental, and staging environments affected—main production cert issuance remained functional.
- Complete switch of the live environment to the new generation is scheduled for Wednesday, May 13.
- Users may observe hiccups around migration, but everything is stable as of recording.
- Quote:
  
  “If you see any hiccups there with Let’s Encrypt, well, that may be part of the problem, but everything appears to be working fine right now…” (06:30)

Notable Quotes & Memorable Moments

On Attack Surface Reduction:

“Always reduce your attack surface if you don’t use IPsec.” (03:05)
On PAM Manipulation Risks:

“Once you have root access…modifying some of the PAM drivers or even just the configurations to either introduce backdoors or…capture SSH passwords.” (03:35)
On Let’s Encrypt Pause:

“…in their status update they called that this was due to a potential incident which of course is often sort of code for breach. But that apparently is not what's happening here.” (06:00)

Timestamps for Key Segments

00:20 – Introduction and overview of Linux privilege escalation vulnerability (“dirty frag”)
01:00 – Technical breakdown: affected modules, similarities to “Copy Fail”
03:05 – Recommendations to disable kernel modules to mitigate risk
03:35 – PAM backdoors: attacker motives, risks, and detection
05:05 – cPanel update: new patches and automated patching advice
06:00 – Let’s Encrypt certificate incident: migration, impact, and status
07:00 – Closing remarks; invitation to IRL talk in San Diego

Episode Tone & Style

Johannes maintains his signature brisk, fact-focused delivery, blending technical details with actionable advice and practical next steps. The warnings are direct, yet measured, highlighting the importance of vigilance without alarmism.

Summary

This episode is essential listening for system administrators, security professionals, and anyone responsible for certificate or Linux infrastructure management. The “dirty frag” bug and PAM backdoor reminders underscore the need for prompt attention and continual defense in depth, while updates on cPanel and Let’s Encrypt help listeners avoid potential disruptions and maintain a proactive security posture.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Monday, May 11, 2026 edition of the SANS Internet Stormsongers Stormcast. My name is Johannes Ulrich, recording today from San Diego, California. And today's episode is brought to you by the SANS EDU Undergraduate Certificate Program in Applied Cyber Security. Yes, and once people start looking for a certain type of flaw, well, we of course get more and more of them in the news. We now have a second Linux privilege escalation vulnerability that again affects pretty much any Linux distribution out there going back to 2017, so about nine years back, which pretty much covers everything at this point. The problem with this vulnerability is again a kernel driver, just like what we had with Copy Fail. Actually, there are some similarities with this Copy Fail vulnerability. This one has its own name, its own logo, dirty frag. And this vulnerability relies on two different vulnerable kernel modules. So both must be present in order for the vulnerability to be exploited. One is the RPCRX module. This module module is used for some file systems, like AFS. For example, the AFS implementation for Linux does use the RPC RX module. The second module is actually really two, but either one works ESP4 and 6. Well, they're part of the ESP protocol, so IPsec. In my opinion, it's probably safer to disable the ESP modules. You can just unload them and with that prevent exploitation just because it's easier to figure out if you're using IPsec or not. While the RPC AX module could be a little bit more difficult to figure out which sort of other functionality on a particular system actually takes advantage of this module. So if you're not doing IPSEC, even if you're doing VPNs, if you're doing a VPN other than IPSEC, you don't need the ESP modules. So in this case just disable them or unload them. Probably just keep them unloaded. Who knows, there may be other vulnerabilities that have yet to be discovered. Always reduce your attack surface if you don't use IPsec. And researchers at Flare wrote up a blog post rediscovering that pam. The pluggable authentication modules in Linux can be used to introduce backdoors. Nothing fundamentally new, but still a good reminder that this happens. So with all these vulnerabilities in Linux we're talking about, of course, the the next question is what is the attacker going to do next? And this may certainly be a point to attack once you have root access to a system where you are modifying some of the pam drivers or even just the configurations to either introduce backdoors or in this case actually capture SSH passwords. This of course is not a problem if you are using SSH secret keys because, well, the secret keys are never sent to the system. So as a result any modification to PAM would not actually capture the secret keys. Well, it could still again introduce a backdoor and that can be really difficult to detect unless you recognize that these PAM modules have been tampered with. So take a look at the blog post and see what they have to say about the detection part in particular and after we recently had a big issue with cPanel vulnerabilities. Well just a reminder that cPanel late last week released another update fixing three vulnerabilities. None of them is as critical as what we have seen a few weeks ago that was widely exploited here. The worst one is an arbitrary code execution vulnerability, but it already does require some significant privileges in order to be able to actually execute and exploit this vulnerability. So I don't see this as something that you have to patch right now, but probably another opportunity to make sure that you are patching cPanel if you're using the software and if possible have that somehow automated and on Friday let's Encrypt did briefly stop issuing new certificates. Now in their status update they called that this was due to a potential incident which of course is often sort of code for breach. But that apparently is not what's happening here. Let's Encrypt is currently in the process of moving from generation X to generation Y. This is sort of how they identify the different versions of their environment. Well this new version of course used then different signing certificates and apparently some of the cross signing wasn't done correctly which led them to suspend the issuing of certificates until they basically could roll back or fix this particular problem. Now this did currently not affect the environment that issues most of the certificates. It was more for the short lived and more experimental sort of environments and staging environments at this point. However on May 13, so I think that's Wednesday, they will switch over the live environment. So in case you see any hiccups there with let's Encrypt, well that may be part of the problem, but everything appears to be working fine right now even for the sort of more short lived like a TLS server, TLS client environments. All of that seems to be working fine right now. Well and this is it for today. So thanks for listening, thanks for liking. I am as I introduced in San Diego this week, I'll be giving a talk in the evening here if anybody's interested. I think it's Wednesday, but I'll have to double check when the talk will be. If you're interested. Well, let me know. Don't just show up. But if you're in the area, we can probably range for you if you want to attend the talk. The talk is about Internet Storm Center. Well, and that's it for today. Thanks and talk to you again tomorrow. Bye.