CVE-2014-7169: Shellshock bug

Date

25-09-2014

Affected Product

Webmin service on port 10000

Background

Bash supports exporting not just shell variables but also shell functions to other bash instances, via the process environment to (indirect) child processes. The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition.

An environment variable with an arbitrary name can be used as a carrier for a malicious function definition containing
trailing commands.

Details

Shellshock affects bash 4.3 and before specifically through scripts that can be executed on the webserver through cgi-scripts. Nervepoint Access Manager uses a java webserver and so do not process or use cgi-scripts (this is used by php and perl code).

So there is no way for users to take advantage of your server through Access Manager.

However we do use a version of bash and the likelihood is that webmin does use this and can be a point of script execution since it runs on a separate webserver that is not java based. But as we always state this service running on port 10000 must always be firewalled so its only accessible internally.

Resolution

Users 1.1 using an LTS version of Ubuntu 10.04, 12.04, 14.04 an update is available and should come down as part of your standard security updates, more details here, USN-2363-1.

Users on the 1.2 branch using Debian 7.6 (wheezy) an update is available and should come down as part of your standard security updates, more details here, DSA-3035-1.

 

Have more questions? Submit a request

Comments

Powered by Zendesk