Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

lorio

Well-Known Member
Feb 25, 2004
313
22
168
cPanel Access Level
Root Administrator
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,237
463
Hello,

Please ensure you update "bash" on your system:

Code:
yum update bash
You can check to see if the updated version is installed with a command such as:

Code:
rpm -qa bash
Quoted from the Red Hat Solution page for this vulnerability:

- The only way to fix it is to install updated Bash packages.
- The safest & simplest thing to do is to perform a system reboot after installing the updated package.
- Carry out the following operation if system cannot be rebooted.

/sbin/ldconfig

Useful links (includes the updated bash version numbers):

[CentOS] Critical update for bash released today.
https://access.redhat.com/solutions/1207723
Bash specially-crafted environment variables code injection attack

Thank you.
 

sOliver

Active Member
Oct 25, 2010
33
0
56
I have written a short guide with instructions on how to determine what Bash version you are running and what CentOS version is installed so you can compare the data with the affected versions and patch if needed:

[Removed]

However, as PascM pointed out even patched versions are partially affected from what I've read, so we will have to update Bash again.

I think Mac users are most affected. Apple is spending less on security research than most of the big tech companies (compared to Google or MSFT)
 
Last edited by a moderator:

lorio

Well-Known Member
Feb 25, 2004
313
22
168
cPanel Access Level
Root Administrator
Seems like the fix is not complete and there's still security issues with bash
You're correct. It was pointed out here:
https://twitter.com/taviso/status/514887394294652929

CVE-2014-7169 bash: code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271)
https://access.redhat.com/security/cve/CVE-2014-7169

A common attack vector for cpanel installations will be /cgi-sys/defaultwebpage.cgi on the hostname.domain.tld of every installation.
We might see a new worm crawling the internet with this bug soon.

I found a blog with more knowledge about these concrete issued than I can offer. Errata Security

More attack vectors mentioned here with more insight about the fix and why it isn't covering all holes.
lcamtuf's blog: Quick notes about the bash bug, its impact, and the fixes so far
 
Last edited:

Mckenzielaa

Member
Jul 10, 2014
13
5
3
cPanel Access Level
Root Administrator
ShellShock Bug

Has anyone got any information on it yet, Apart from the blog posts flying about.

A vulnerability in the linux Bash shell may allow for an attacker to execute code on a server and open the door to other attacks taking place that could lead to the server becoming fully compromised.

Many security experts are calling this bug “bigger than Heartbleed” and it’s important that system administrators patch vulnerable systems as soon as possible.

Affected distributions include:

Red Hat Enterprise Linux (versions 4 through 7)
Fedora
CentOS (versions 5 through 7)
CloudLinux
Debian
 

autumnwalker123

Active Member
Jan 19, 2014
44
0
6
cPanel Access Level
Root Administrator
Hello,

Please ensure you update "bash" on your system:

Code:
yum update bash
You can check to see if the updated version is installed with a command such as:

Code:
rpm -qa bash
Quoted from the Red Hat Solution page for this vulnerability:




Useful links (includes the updated bash version numbers):

[CentOS] Critical update for bash released today.
https://access.redhat.com/solutions/1207723
Bash specially-crafted environment variables code injection attack

Thank you.
Will this update be done automatically by cPanel nightly updates?
 

Reado

Well-Known Member
Sep 8, 2009
237
12
68
United Kingdom
cPanel Access Level
Root Administrator
Re: ShellShock Bug

If a vulnerable server does not have a public IP but is connected to a network which can be accessed by the Internet, can the vulnerable server still be reached by a worm? I read reports this bug is wormable and can get behind firewalls and what not. If that's the case then surely nothing is safe until the bash bug is fixed?!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,237
463
Will this update be done automatically by cPanel nightly updates?
Yes, it will update during the nightly cPanel update if you have "Operating System Package Updates" set to "Automatic" in "WHM Home » Server Configuration » Update Preferences". However, you should really update the package manually as soon as possible due to the nature of this vulnerability. Please ensure you monitor the changes published by CentOS/RedHat and update bash as soon as they have released an update for the additional attack vector.

Thank you.
 

ministero

Registered
Oct 10, 2008
3
0
51
It looks like someone is mass scanning for /cgi-sys/defaultwebpage.cgi , i've seen it in my logs too.

Here is my question: /cgi-sys/defaultwebpage.cgi in cpanel is vulnerable or not?

A lot of blogs are reporting it as vulnerable:
"Secondly, it's things like CGI scripts that are vulnerable, deep within a website (like CPanel's /cgi-sys/defaultwebpage.cgi)" -Robert Graham
but on the same blogs i see a comment from someone supposedly from CPanel saying the file is not vulnerable:
Phil Stark said...

Our internal testing showed that /cgi-sys/defaultwebpage.cgi was not vulnerable by this exploit. It is not written in bash and does not make any calls to bash.
Where is the truth?:confused:
 

lorio

Well-Known Member
Feb 25, 2004
313
22
168
cPanel Access Level
Root Administrator
I also tested /cgi-sys/defaultwebpage.cgi and did not find it vulnerable.
The scripts can be found at usr/local/cpanel/cgi-sys .

You will find e.g. /cgi-sys/entropysearch.cgi which is mentioned by Securi in the blog linked above.
Mostly these scripts are used via the user-accounts. But they can be called via the hostname of the whm server. The will stop executing because the user context is missing.

I haven't found any official statement by cpanel. They still will be testing and trying to patch before posting an statement.

defaultwebpage.cgi is a binary. Still too early to be sure.
 
Last edited:

Venomous21

Well-Known Member
Jun 28, 2012
85
0
6
cPanel Access Level
Root Administrator
I'm running centos 5.10 & bash-3.2-33.el5.1 and performed the env x test and it says I'm not vulnerable. I am 'not' running mod_security, are there any other ways to mitigate CVE-2014-7169 and when do we expect a patch for that one? They say access complexity is high for that CVE so maybe I shouldn't worry since I'm patched for CVE-2014-6271

I'm running mod_suphp, disabled shell access, disabled c compiler access, disabled php functions so hopefully that helps mitigate it as well based on the sucuri article. Thoughts?
 

lorio

Well-Known Member
Feb 25, 2004
313
22
168
cPanel Access Level
Root Administrator

Venomous21

Well-Known Member
Jun 28, 2012
85
0
6
cPanel Access Level
Root Administrator
I read all the articles in this thread. I did the env x='() { :;}; echo vulnerable' bash -c "echo this is a test" test based on the redhat article. My question is since I don't have mod_security, are there any other mitigation strategies I can use for CVE-2014-716 (which is the new CVE) with high access complexity since CVE-2014-6271 was a partial fix?
 

server9host

Well-Known Member
Sep 18, 2013
160
0
16
India
cPanel Access Level
Root Administrator
Re: cPanel Security Team: Bash CVE-2014-6217 and CVE-2014-7169

Hello,

I have one question "cPanelCory "

please clear me if I wrong. In cpanel server run upcp every day via cron job,so this update will not done in upcp.


Thanks