Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

[lorio]

Attackvector: e.g limited SSH accounts or URL via Apache CGI.
Not sure if suPHP would prevent attack.
Always good to disable PHP functions like system() or exec().

https://access.redhat.com/solutions/1207723
https://access.redhat.com/articles/1200223
[CentOS-announce] CESA-2014:1293 Critical CentOS 6 bash Security Update

 

[cPanelMichael]

Hello,

Please ensure you update "bash" on your system:

yum update bash

You can check to see if the updated version is installed with a command such as:

rpm -qa bash

Quoted from the Red Hat Solution page for this vulnerability:

- The only way to fix it is to install updated Bash packages.
- The safest & simplest thing to do is to perform a system reboot after installing the updated package.
- Carry out the following operation if system cannot be rebooted.

/sbin/ldconfig

Useful links (includes the updated bash version numbers):

[CentOS] Critical update for bash released today.
https://access.redhat.com/solutions/1207723
Bash specially-crafted environment variables code injection attack

Thank you.

 

[PascM]

Hello,

Seems like the fix is not complete and there's still security issues with bash

 

[sOliver]

I have written a short guide with instructions on how to determine what Bash version you are running and what CentOS version is installed so you can compare the data with the affected versions and patch if needed:

[Removed]

However, as PascM pointed out even patched versions are partially affected from what I've read, so we will have to update Bash again.

I think Mac users are most affected. Apple is spending less on security research than most of the big tech companies (compared to Google or MSFT)

 

[lorio]

Seems like the fix is not complete and there's still security issues with bash

You're correct. It was pointed out here:
https://twitter.com/taviso/status/514887394294652929

CVE-2014-7169 bash: code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271)
https://access.redhat.com/security/cve/CVE-2014-7169

A common attack vector for cpanel installations will be /cgi-sys/defaultwebpage.cgi on the hostname.domain.tld of every installation.
We might see a new worm crawling the internet with this bug soon.

I found a blog with more knowledge about these concrete issued than I can offer. Errata Security

More attack vectors mentioned here with more insight about the fix and why it isn't covering all holes.
lcamtuf's blog: Quick notes about the bash bug, its impact, and the fixes so far

 

[kernow]

There is a useful test you can carry out after the patch is applied mentioned here: https://securityblog.redhat.com/201...-environment-variables-code-injection-attack/

 

[Mckenzielaa]

ShellShock Bug

Has anyone got any information on it yet, Apart from the blog posts flying about.

A vulnerability in the linux Bash shell may allow for an attacker to execute code on a server and open the door to other attacks taking place that could lead to the server becoming fully compromised.

Many security experts are calling this bug “bigger than Heartbleed” and it’s important that system administrators patch vulnerable systems as soon as possible.

Affected distributions include:

Red Hat Enterprise Linux (versions 4 through 7)
Fedora
CentOS (versions 5 through 7)
CloudLinux
Debian

 

[PlotHost]

Re: ShellShock Bug

More info/links at https://www.webhostingtalk.com/showthread.php?t=1414839

 

[autumnwalker123]

Hello,

Please ensure you update "bash" on your system:

yum update bash

You can check to see if the updated version is installed with a command such as:

rpm -qa bash

Quoted from the Red Hat Solution page for this vulnerability:




Useful links (includes the updated bash version numbers):

[CentOS] Critical update for bash released today.
https://access.redhat.com/solutions/1207723
Bash specially-crafted environment variables code injection attack

Thank you.

Will this update be done automatically by cPanel nightly updates?

 

[Reado]

Re: ShellShock Bug

If a vulnerable server does not have a public IP but is connected to a network which can be accessed by the Internet, can the vulnerable server still be reached by a worm? I read reports this bug is wormable and can get behind firewalls and what not. If that's the case then surely nothing is safe until the bash bug is fixed?!

 

[cPanelMichael]

Will this update be done automatically by cPanel nightly updates?

Yes, it will update during the nightly cPanel update if you have "Operating System Package Updates" set to "Automatic" in "WHM Home » Server Configuration » Update Preferences". However, you should really update the package manually as soon as possible due to the nature of this vulnerability. Please ensure you monitor the changes published by CentOS/RedHat and update bash as soon as they have released an update for the additional attack vector.

Thank you.

 

[ministero]

It looks like someone is mass scanning for /cgi-sys/defaultwebpage.cgi , i've seen it in my logs too.

Here is my question: /cgi-sys/defaultwebpage.cgi in cpanel is vulnerable or not?

A lot of blogs are reporting it as vulnerable:

"Secondly, it's things like CGI scripts that are vulnerable, deep within a website (like CPanel's /cgi-sys/defaultwebpage.cgi)" -Robert Graham

but on the same blogs i see a comment from someone supposedly from CPanel saying the file is not vulnerable:

Phil Stark said...

Our internal testing showed that /cgi-sys/defaultwebpage.cgi was not vulnerable by this exploit. It is not written in bash and does not make any calls to bash.

Where is the truth?

 

[jhawkins003]

Securi has posted an update today specifically focusing on cPanel exploitability on unpatched systems. Thought it worth adding to the thread.

Website Security - Bash "Shell Shock" Vulnerability Impacts CPANEL Users | Sucuri Blog

 

[quizknows]

I also tested /cgi-sys/defaultwebpage.cgi and did not find it vulnerable.

In addition to updating bash on my systems, I have implemented the modsecurity rules recommended by redhat and find them to be effective.

https://access.redhat.com/articles/1200223

 

[lorio]

I also tested /cgi-sys/defaultwebpage.cgi and did not find it vulnerable.

The scripts can be found at usr/local/cpanel/cgi-sys .

You will find e.g. /cgi-sys/entropysearch.cgi which is mentioned by Securi in the blog linked above.
Mostly these scripts are used via the user-accounts. But they can be called via the hostname of the whm server. The will stop executing because the user context is missing.

I haven't found any official statement by cpanel. They still will be testing and trying to patch before posting an statement.

defaultwebpage.cgi is a binary. Still too early to be sure.

 

[Venomous21]

I'm running centos 5.10 & bash-3.2-33.el5.1 and performed the env x test and it says I'm not vulnerable. I am 'not' running mod_security, are there any other ways to mitigate CVE-2014-7169 and when do we expect a patch for that one? They say access complexity is high for that CVE so maybe I shouldn't worry since I'm patched for CVE-2014-6271

I'm running mod_suphp, disabled shell access, disabled c compiler access, disabled php functions so hopefully that helps mitigate it as well based on the sucuri article. Thoughts?

 

[lorio]

I'm running centos 5.10 & bash-3.2-33.el5.1 and performed the env x test and it says I'm not vulnerable.

What is your question? Post the code of your test. Did you try the one mentioned here https://twitter.com/taviso/status/514887394294652929 ?

 

[Venomous21]

I read all the articles in this thread. I did the env x='() { :;}; echo vulnerable' bash -c "echo this is a test" test based on the redhat article. My question is since I don't have mod_security, are there any other mitigation strategies I can use for CVE-2014-716 (which is the new CVE) with high access complexity since CVE-2014-6271 was a partial fix?

 

[Venomous21]

redhat released the fix for CVE-2014-716

https://rhn.redhat.com/errata/RHSA-2014-1306.html

How long does it usually take CentOS to release it?

 

[server9host]

Re: cPanel Security Team: Bash CVE-2014-6217 and CVE-2014-7169

Hello,

I have one question "cPanelCory "

please clear me if I wrong. In cpanel server run upcp every day via cron job,so this update will not done in upcp.


Thanks