Skip to main content

Comments

45 comments

  • cPanelMichael
    Hello, Please ensure you update "bash" on your system: yum update bash
    You can check to see if the updated version is installed with a command such as: rpm -qa bash
    Quoted from the Red Hat Solution page for this vulnerability: [QUOTE]- The only way to fix it is to install updated Bash packages. - The safest & simplest thing to do is to perform a system reboot after installing the updated package. - Carry out the following operation if system cannot be rebooted. /sbin/ldconfig
    Useful links (includes the updated bash version numbers): [url=http://lists.centos.org/pipermail/centos/2014-September/146099.html][CentOS] Critical update for bash released today. Bash specially-crafted environment variables code injection attack Thank you.
    0
  • PascM
    Hello, Seems like the fix is not complete and there's still security issues with bash
    0
  • sOliver
    I have written a short guide with instructions on how to determine what Bash version you are running and what CentOS version is installed so you can compare the data with the affected versions and patch if needed: [Removed] However, as PascM pointed out even patched versions are partially affected from what I've read, so we will have to update Bash again. I think Mac users are most affected. Apple is spending less on security research than most of the big tech companies (compared to Google or MSFT)
    0
  • lorio
    [quote="PascM, post: 1737351">Seems like the fix is not complete and there's still security issues with bash
    You're correct. It was pointed out here: A common attack vector for cpanel installations will be /cgi-sys/defaultwebpage.cgi on the hostname.domain.tld of every installation. We might see a new worm crawling the internet with this bug soon. I found a blog with more knowledge about these concrete issued than I can offer. [url=http://blog.erratasec.com/]Errata Security More attack vectors mentioned here with more insight about the fix and why it isn't covering all holes. [url=http://lcamtuf.blogspot.de/2014/09/quick-notes-about-bash-bug-its-impact.html]lcamtuf's blog: Quick notes about the bash bug, its impact, and the fixes so far
    0
  • kernow
    There is a useful test you can carry out after the patch is applied mentioned here:
    0
  • Mckenzielaa
    ShellShock Bug Has anyone got any information on it yet, Apart from the blog posts flying about. A vulnerability in the linux Bash shell may allow for an attacker to execute code on a server and open the door to other attacks taking place that could lead to the server becoming fully compromised. Many security experts are calling this bug "bigger than Heartbleed" and it"s important that system administrators patch vulnerable systems as soon as possible. Affected distributions include: Red Hat Enterprise Linux (versions 4 through 7) Fedora CentOS (versions 5 through 7) CloudLinux Debian
    0
  • PlotHost
    Re: ShellShock Bug More info/links at
    0
  • autumnwalker123
    [quote="cPanelMichael, post: 1737131">Hello, Please ensure you update "bash" on your system: yum update bash
    You can check to see if the updated version is installed with a command such as: rpm -qa bash
    Quoted from the Red Hat Solution page for this vulnerability: Useful links (includes the updated bash version numbers): [url=http://lists.centos.org/pipermail/centos/2014-September/146099.html][CentOS] Critical update for bash released today. Bash specially-crafted environment variables code injection attack Thank you.
    Will this update be done automatically by cPanel nightly updates?
    0
  • Reado
    Re: ShellShock Bug If a vulnerable server does not have a public IP but is connected to a network which can be accessed by the Internet, can the vulnerable server still be reached by a worm? I read reports this bug is wormable and can get behind firewalls and what not. If that's the case then surely nothing is safe until the bash bug is fixed?!
    0
  • cPanelMichael
    [quote="autumnwalker123, post: 1737801">Will this update be done automatically by cPanel nightly updates?
    Yes, it will update during the nightly cPanel update if you have "Operating System Package Updates" set to "Automatic" in "WHM Home " Server Configuration " Update Preferences". However, you should really update the package manually as soon as possible due to the nature of this vulnerability. Please ensure you monitor the changes published by CentOS/RedHat and update bash as soon as they have released an update for the additional attack vector. Thank you.
    0
  • ministero
    It looks like someone is mass scanning for /cgi-sys/defaultwebpage.cgi, i've seen it in my logs too. Here is my question: /cgi-sys/defaultwebpage.cgi in cpanel is vulnerable or not? A lot of blogs are reporting it as vulnerable: [QUOTE]"Secondly, it's things like CGI scripts that are vulnerable, deep within a website (like CPanel's /cgi-sys/defaultwebpage.cgi)" -Robert Graham
    but on the same blogs i see a comment from someone supposedly from CPanel saying the file is not vulnerable: [QUOTE]Phil Stark said... Our internal testing showed that /cgi-sys/defaultwebpage.cgi was not vulnerable by this exploit. It is not written in bash and does not make any calls to bash.
    Where is the truth?:confused:
    0
  • jhawkins003
    Securi has posted an update today specifically focusing on cPanel exploitability on unpatched systems. Thought it worth adding to the thread. [url=http://blog.sucuri.net/2014/09/bash-vulnerability-shell-shock-thousands-of-cpanel-sites-are-high-risk.html]Website Security - Bash "Shell Shock" Vulnerability Impacts CPANEL Users | Sucuri Blog
    0
  • quizknows
    I also tested /cgi-sys/defaultwebpage.cgi and did not find it vulnerable. In addition to updating bash on my systems, I have implemented the modsecurity rules recommended by redhat and find them to be effective.
    0
  • lorio
    [quote="quizknows, post: 1738032">I also tested /cgi-sys/defaultwebpage.cgi and did not find it vulnerable.
    The scripts can be found at usr/local/cpanel/cgi-sys . You will find e.g. /cgi-sys/entropysearch.cgi which is mentioned by Securi in the blog linked above. Mostly these scripts are used via the user-accounts. But they can be called via the hostname of the whm server. The will stop executing because the user context is missing. I haven't found any official statement by cpanel. They still will be testing and trying to patch before posting an statement. defaultwebpage.cgi is a binary. Still too early to be sure.
    0
  • Venomous21
    I'm running centos 5.10 & bash-3.2-33.el5.1 and performed the env x test and it says I'm not vulnerable. I am 'not' running mod_security, are there any other ways to mitigate CVE-2014-7169 and when do we expect a patch for that one? They say access complexity is high for that CVE so maybe I shouldn't worry since I'm patched for CVE-2014-6271 I'm running mod_suphp, disabled shell access, disabled c compiler access, disabled php functions so hopefully that helps mitigate it as well based on the sucuri article. Thoughts?
    0
  • lorio
    [quote="Venomous21, post: 1738162">I'm running centos 5.10 & bash-3.2-33.el5.1 and performed the env x test and it says I'm not vulnerable.
    What is your question? Post the code of your test. Did you try the one mentioned here
    0
  • Venomous21
    I read all the articles in this thread. I did the env x='() { :;}; echo vulnerable' bash -c "echo this is a test" test based on the redhat article. My question is since I don't have mod_security, are there any other mitigation strategies I can use for CVE-2014-716 (which is the new CVE) with high access complexity since CVE-2014-6271 was a partial fix?
    0
  • Venomous21
    redhat released the fix for CVE-2014-716
    0
  • server9host
    Re: cPanel Security Team: Bash CVE-2014-6217 and CVE-2014-7169 Hello, I have one question "cPanelCory " please clear me if I wrong. In cpanel server run upcp every day via cron job,so this update will not done in upcp. Thanks
    0
  • eva2000
    already available for me 2nd bash update is available for CVE-2014-7169 CentOS 6 yum list bash -q Installed Packages bash.x86_64 4.1.2-15.el6_5.1 @updates Available Packages bash.x86_64 4.1.2-15.el6_5.2 updates
    CentOS 7 yum list bash -q Installed Packages bash.x86_64 4.2.45-5.el7 @anaconda Available Packages bash.x86_64 4.2.45-5.el7_0.4 updates
    CentOS 6 rpm -qa --changelog bash | head -n10 * Thu Sep 25 2014 Ondrej Oprala - 4.1.2-15.2 - CVE-2014-7169 Resolves: #1146322 * Mon Sep 15 2014 Ondrej Oprala
    CentOS 7 rpm -qa --changelog bash | head -n10 * Thu Sep 25 2014 Ondrej Oprala - 4.2.45-5.4 - CVE-2014-7169 Resolves: #1146324 * Thu Sep 25 2014 Ondrej Oprala - 4.2.45-5.3 - amend patch to match upstream's Related: #1146324 * Mon Sep 15 2014 Ondrej Oprala
    For those using Oracle Linux 6.5 yum list bash -q Installed Packages bash.x86_64 4.1.2-15.el6_5.1.0.1 @ol6_latest
    rpm -qa --changelog bash | head -n10 * Thu Sep 25 2014 John Haxby - 4.1.2-15.1.0.1 - Preliminary fix for CVE-2014-7169 * Mon Sep 15 2014 Ondrej Oprala
    0
  • Venomous21
    CentOS is pushing out the updates. For CentOS 5.10 x86_64: bash.x86_64 0:3.2-33.el5_10.4
    0
  • Venomous21
    So I tried that test from the earlier redhat security article -again- but this time for the latest bash I installed above and the behavior is different, not sure if that matters or not but thought I'd mention it. root@asdf [/var/log]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" this is a test
    0
  • kernow
    Re: cPanel Security Team: Bash CVE-2014-6217 and CVE-2014-7169 ........snip [QUOTE]and the system rebooted,
    I thought this was not required? Please confirm.
    0
  • arabgenius
    Re: cPanel Security Team: Bash CVE-2014-6217 and CVE-2014-7169 Hello I have centos 6.5 and my bash version is bash-4.1.2-15.el6_5.1.x86_64 then I ran yum update and it did update my bash to bash-4.1.2-15.el6_5.2.x86_64 Do I need to restart ? should I update anything else ? and how to update ?
    0
  • mageshm
    Re: cPanel Security Team: Bash CVE-2014-6217 and CVE-2014-7169 @ arabgenius, bash-4.1.2-15.el6_5.1.x86_64 its updaed bash only, so don't worry about it. - Removed -
    0
  • Squiz
    My Version: bash-4.1.2-15.el6_5.2.x86_64 Exploit 1 (CVE-2014-6271): Test 1: env x='() { :;}; echo vulnerable' bash -c "echo this is a test" this is a test Exploit 2 (CVE-2014-7169): Test 2: env X='() { (a)=>\' sh -c "echo date"; cat echo date Fri Sep 26 10:06:20 BST 2014 So with this latest update it seems I'm still vulnerable. Also when I use the tester on
    0
  • Squiz
    Also if I check with the following tests it says I am not vulnerable: But
    0
  • Squiz
    0
  • Squiz
    My bad...I had the wrong permissions set on the test cgi file. All tests come back as not vulnerable, so the latest patch must work.
    0
  • cPanelMichael
    The official announcement from the cPanel security team is available at: [url=http://cpanel.net/cpanel-security-team-bash-cve-2014-6217-and-cve-2014-7169/]cPanel Security Team: Bash CVE-2014-6217 and CVE-2014-7169 | cPanel, Inc. Thank you.
    0

Please sign in to leave a comment.