The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

Discussion in 'Security' started by lorio, Sep 24, 2014.

  1. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    #1 lorio, Sep 24, 2014
    Last edited: Sep 24, 2014
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Please ensure you update "bash" on your system:

    Code:
    yum update bash
    You can check to see if the updated version is installed with a command such as:

    Code:
    rpm -qa bash
    Quoted from the Red Hat Solution page for this vulnerability:


    Useful links (includes the updated bash version numbers):

    [CentOS] Critical update for bash released today.
    https://access.redhat.com/solutions/1207723
    Bash specially-crafted environment variables code injection attack

    Thank you.
     
  3. PascM

    PascM Member

    Joined:
    Jun 2, 2012
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    127.0.0.1
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hello,

    Seems like the fix is not complete and there's still security issues with bash
     
  4. sOliver

    sOliver Active Member

    Joined:
    Oct 25, 2010
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    I have written a short guide with instructions on how to determine what Bash version you are running and what CentOS version is installed so you can compare the data with the affected versions and patch if needed:

    [Removed]

    However, as PascM pointed out even patched versions are partially affected from what I've read, so we will have to update Bash again.

    I think Mac users are most affected. Apple is spending less on security research than most of the big tech companies (compared to Google or MSFT)
     
    #4 sOliver, Sep 25, 2014
    Last edited by a moderator: Sep 25, 2014
  5. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    You're correct. It was pointed out here:
    https://twitter.com/taviso/status/514887394294652929

    CVE-2014-7169 bash: code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271)
    https://access.redhat.com/security/cve/CVE-2014-7169

    A common attack vector for cpanel installations will be /cgi-sys/defaultwebpage.cgi on the hostname.domain.tld of every installation.
    We might see a new worm crawling the internet with this bug soon.

    I found a blog with more knowledge about these concrete issued than I can offer. Errata Security

    More attack vectors mentioned here with more insight about the fix and why it isn't covering all holes.
    lcamtuf's blog: Quick notes about the bash bug, its impact, and the fixes so far
     
    #5 lorio, Sep 25, 2014
    Last edited: Sep 25, 2014
  6. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
  7. Mckenzielaa

    Mckenzielaa Member

    Joined:
    Jul 10, 2014
    Messages:
    11
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    ShellShock Bug

    Has anyone got any information on it yet, Apart from the blog posts flying about.

    A vulnerability in the linux Bash shell may allow for an attacker to execute code on a server and open the door to other attacks taking place that could lead to the server becoming fully compromised.

    Many security experts are calling this bug “bigger than Heartbleed” and it’s important that system administrators patch vulnerable systems as soon as possible.

    Affected distributions include:

    Red Hat Enterprise Linux (versions 4 through 7)
    Fedora
    CentOS (versions 5 through 7)
    CloudLinux
    Debian
     
  8. PlotHost

    PlotHost Well-Known Member

    Joined:
    Apr 29, 2011
    Messages:
    253
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    US
    cPanel Access Level:
    Root Administrator
    Twitter:
  9. autumnwalker123

    autumnwalker123 Active Member

    Joined:
    Jan 19, 2014
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Will this update be done automatically by cPanel nightly updates?
     
  10. Reado

    Reado Well-Known Member

    Joined:
    Sep 8, 2009
    Messages:
    161
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    United Kingdom
    cPanel Access Level:
    DataCenter Provider
    Re: ShellShock Bug

    If a vulnerable server does not have a public IP but is connected to a network which can be accessed by the Internet, can the vulnerable server still be reached by a worm? I read reports this bug is wormable and can get behind firewalls and what not. If that's the case then surely nothing is safe until the bash bug is fixed?!
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Yes, it will update during the nightly cPanel update if you have "Operating System Package Updates" set to "Automatic" in "WHM Home » Server Configuration » Update Preferences". However, you should really update the package manually as soon as possible due to the nature of this vulnerability. Please ensure you monitor the changes published by CentOS/RedHat and update bash as soon as they have released an update for the additional attack vector.

    Thank you.
     
  12. ministero

    ministero Registered

    Joined:
    Oct 10, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    It looks like someone is mass scanning for /cgi-sys/defaultwebpage.cgi , i've seen it in my logs too.

    Here is my question: /cgi-sys/defaultwebpage.cgi in cpanel is vulnerable or not?

    A lot of blogs are reporting it as vulnerable:
    but on the same blogs i see a comment from someone supposedly from CPanel saying the file is not vulnerable:
    Where is the truth?:confused:
     
  13. jhawkins003

    jhawkins003 Member

    Joined:
    Jun 24, 2014
    Messages:
    12
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
  14. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I also tested /cgi-sys/defaultwebpage.cgi and did not find it vulnerable.

    In addition to updating bash on my systems, I have implemented the modsecurity rules recommended by redhat and find them to be effective.

    https://access.redhat.com/articles/1200223
     
  15. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    The scripts can be found at usr/local/cpanel/cgi-sys .

    You will find e.g. /cgi-sys/entropysearch.cgi which is mentioned by Securi in the blog linked above.
    Mostly these scripts are used via the user-accounts. But they can be called via the hostname of the whm server. The will stop executing because the user context is missing.

    I haven't found any official statement by cpanel. They still will be testing and trying to patch before posting an statement.

    defaultwebpage.cgi is a binary. Still too early to be sure.
     
    #15 lorio, Sep 25, 2014
    Last edited: Sep 25, 2014
  16. Venomous21

    Venomous21 Well-Known Member

    Joined:
    Jun 28, 2012
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I'm running centos 5.10 & bash-3.2-33.el5.1 and performed the env x test and it says I'm not vulnerable. I am 'not' running mod_security, are there any other ways to mitigate CVE-2014-7169 and when do we expect a patch for that one? They say access complexity is high for that CVE so maybe I shouldn't worry since I'm patched for CVE-2014-6271

    I'm running mod_suphp, disabled shell access, disabled c compiler access, disabled php functions so hopefully that helps mitigate it as well based on the sucuri article. Thoughts?
     
  17. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    What is your question? Post the code of your test. Did you try the one mentioned here https://twitter.com/taviso/status/514887394294652929 ?
     
  18. Venomous21

    Venomous21 Well-Known Member

    Joined:
    Jun 28, 2012
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I read all the articles in this thread. I did the env x='() { :;}; echo vulnerable' bash -c "echo this is a test" test based on the redhat article. My question is since I don't have mod_security, are there any other mitigation strategies I can use for CVE-2014-716 (which is the new CVE) with high access complexity since CVE-2014-6271 was a partial fix?
     
  19. Venomous21

    Venomous21 Well-Known Member

    Joined:
    Jun 28, 2012
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
  20. server9host

    server9host Well-Known Member

    Joined:
    Sep 18, 2013
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Re: cPanel Security Team: Bash CVE-2014-6217 and CVE-2014-7169

    Hello,

    I have one question "cPanelCory "

    please clear me if I wrong. In cpanel server run upcp every day via cron job,so this update will not done in upcp.


    Thanks
     
Loading...

Share This Page