Quick Warning:
To those that run your own webservers, and Mac OSX users.. If you haven’t already heard, there is a critical exploit out called SHELLSHOCK now that uses exploits a flaw in “bash” the primary command line of unix type operating systems. (linux, *bsd, Mac OSX). A variable can be used to execute a command.
This exploit can also be triggered remotely by making a special request to most webservers that run on linux or *bsd.
To determine if your server is exploitable, run this command, if it returns “vulnerable” you should upgrade/patch your system:
1 |
env var='() { ignore this;}; echo vulnerable' bash -c /bin/true |
To upgrade, If your webserver runs:
* Ubuntu, run
1 |
sudo apt-get upgrade |
http://www.ubuntu.com/usn/usn-2362-1/
* Centos/Redhat, run as root or sudo
1 |
yum update bash ; /sbin/ldconfig |
https://rhn.redhat.com/errata/RHSA-2014-1293.html
This is what patching will look like:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
[jk-47@server-234 ~]$ env var='() { ignore this;}; echo vulnerable' bash -c /bin/true vulnerable [jk-47@server-234 ~]$ yum update bash Loaded plugins: fastestmirror You need to be root to perform this command. [jk-47@server-234 ~]$ sudo yum update bash base | 3.7 kB 00:00 extras | 3.3 kB 00:00 extras/primary_db | 19 kB 00:00 updates | 3.4 kB 00:00 updates/primary_db | 5.3 MB 00:00 Setting up Update Process Resolving Dependencies --> Running transaction check ---> Package bash.x86_64 0:4.1.2-15.el6_4 will be updated ---> Package bash.x86_64 0:4.1.2-15.el6_5.1 will be an update --> Finished Dependency Resolution Dependencies Resolved ================================================================================================================================ Package Arch Version Repository Size ================================================================================================================================ Updating: bash x86_64 4.1.2-15.el6_5.1 updates 905 k Transaction Summary ================================================================================================================================ Upgrade 1 Package(s) Total download size: 905 k Is this ok [y/N]: y Downloading Packages: bash-4.1.2-15.el6_5.1.x86_64.rpm | 905 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : bash-4.1.2-15.el6_5.1.x86_64 1/2 Cleanup : bash-4.1.2-15.el6_4.x86_64 2/2 Verifying : bash-4.1.2-15.el6_5.1.x86_64 1/2 Verifying : bash-4.1.2-15.el6_4.x86_64 2/2 Updated: bash.x86_64 0:4.1.2-15.el6_5.1 Complete! [jk-47@server-234 ~]$ sudo /sbin/ldconfig [jk-47@server-234 ~]$ env var='() { ignore this;}; echo vulnerable' bash -c /bin/true bash: warning: var: ignoring function definition attempt bash: error importing function definition for `var' --- here we can see that we are no longer vulnerable |
As far as SAN vendors:
Netapp’s statement and affected products:
Direct link to the information: https://library.netapp.com/ecm/ecm_get_file/ECMP1655016
Actual list of vulnerabilities: http://mysupport.netapp.com/NOW/knowledge/docs/olio/scanner_results/
Process to stay informed:http://www.netapp.com/us/legal/vulnerability-handling-response-policy.aspx
PureStorage:
The Shellshock bug is fixed in 4.0.12, please open up a ticket and Support will upgrade you
Nimble:
Nimble uses busybox in their jailed CLI. There may be ways to escape out of the CLI via other escalations, but it is not directly SHELLSHOCKable by the CLI. I am not sure what user/space their webserver instance runs under, so I am unsure if they are able to be exploited via the typical http-header[Cookie]/http-header[Host]/http-header[Referer] tricks.
RedHat Clustered Storage Server:
Yep, you are at risk in most versions. yum -y update bash to fix it.
EMC:
See support tech note: https://emc–c.na5.visual.force.com/apex/KB_Non_ESA_Security?id=kA4700000008OfN
Those I know affected: Atmos, Avamar, Centera, CLARiion (ALL), Celerra (ALL), DataDomain (ALL), Isilon OneFS (ALL), PowerPath Virtual Appliance 1.2.x, RecoverPoint (ALL), Unisphere 2-3.5.1SP1, Unisphere for VMAX, ViPR, VBA, VNX/VNX2/VNXe, VPLEX < 5.4, XtremIO 2.4.1 & 3.0.0
Windows users don’t think you are immune! You have a DOS variable exploit of the same type for years!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
C:\Users\jk-47>set windowssucks=wtf^&ping -n 3 8.8.8.8 C:\Users\jk-47>echo %windowssucks% wtf Pinging 8.8.8.8 with 32 bytes of data: Reply from 8.8.8.8: bytes=32 time=81ms TTL=128 Reply from 8.8.8.8: bytes=32 time=35ms TTL=128 Reply from 8.8.8.8: bytes=32 time=39ms TTL=128 Ping statistics for 8.8.8.8: Packets: Sent = 3, Received = 3, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 35ms, Maximum = 81ms, Average = 51ms |
Feedbin star: Warning, New Exploit: Dealing with SHELLSHOCK on linux http://t.co/7KEjMtxiuT
#SymLink: Warning, New Exploit: Dealing with SHELLSHOCK on linux http://t.co/kKbcIfzaUW