Mean Servers urges all dedicated server and virtual private server customers to run a system update immediately. A critical bash vulnerability has been found that affects ALL LINUX BOXES. At this time, all customers with managed services, both on-network and off-network have had their systems patched.
If you have an unmanaged dedicated server or virtual private server you must perform this security update yourself or contact Mean Servers for a one-time security lockdown fee or to upgrade to a managed plan.
To perform the upgrade yourself, please login to your machine as root and run the following:
RedHat/CentOS/RHEL based distros:
yum update
Debian/Debian based distros:
apt-get update
Then follow the on screen prompts to complete the upgrade processes. Depending on when your system was last updated, you may have additional upgrades waiting as well.
Mean Servers recommends keeping your system updated on a regular basis, this ensures exploits that are found are closed and that your system is optimized so you can utilize your machine to it's fullest. Mean Servers offers different levels of managed services as well starting at just $29/mo to give you peace of mind and help keep your data, users, and customers safe. Contact our sales team today to inquire about our managed services.
Details from: http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html
A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271. This affects Debian as well as other Linux distributions. You will need to patch ASAP.
Bash supports exporting shell variables as well as shell functions to other bash instances. This is accomplished through the process environment to a child process.
The major attack vectors that have been identified in this case are HTTP requests and CGI scripts.
From Akamai:
Akamai has validated the existence of the vulnerability in bash, and confirmed its presence in bash for an extended period of time. We have also verified that this vulnerability is exposed in ssh---but only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on a number of factors; including calling other applications through a shell, or evaluating sections of code through a shell.
There are several functional mitigations for this vulnerability: upgrading to a new version of bash, replacing bash with an alternate shell, limiting access to vulnerable services, or filtering inputs to vulnerable services. Akamai has created a WAF rule to filter this exploit; see "For Web Applications" below for details.
If you have a username in your authorization header this could also be an attack vector.
Another attack surface is OpenSSH through the use of AcceptEnv variables. As well through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation. This is fire bad.
The race is on. Will you be able to patch before Metasploit has a working exploit?
Tod Beardsley, engineering manager from Rapid7, had this to say,
"As you might have guessed, we're busy at work putting together a Metasploit module that demonstrates the bash bug (CVE-2014-6271), as is the rest of the world of open source security contributors. I expect to see a first version today.
That said, it's difficult to write one "bash bug" exploit -- this is the sort of exploit that will be lurking around in all various and sundry sorts of software, both local and remote. It's quite common for embedded devices with web-enabled front-ends to shuttle user input back and forth via bash shells, for example -- routers, SCADA/ICS devices, medical equipment, and all sorts of webified gadgets are likely to be exposed.
The module we're cooking up today will be as generic as we can make it, so people have a realistic chance of testing their devices. I expect that this will show up in more than one software package, though, so stay tuned."
Wednesday, September 24, 2014