Due to our strong security policies, the exposure is much more limited for most of our clients. Nevertheless, the team was on hand to apply the patch immediately once it was released on the 24th September 2014. Once it was clear that the patch was incomplete, we continue to stay on top of the issue and patch all servers for the 2nd time the next day.
Description
GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation.
Critical instances where the vulnerability may be exposed include:
- Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn subshells.
- Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities.
- Allow arbitrary commands to run on a DHCP client machine, various Daemons and SUID/privileged programs.
- Exploit servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.
Impact
This vulnerability is classified by industry standards as “High” impact . However, out of the few possibilities mentioned above, our servers with our default security policy are not vulnerable to most of them. Due to the speed we have patched the systems under management, the time the exploit is in the wild is very limited and we are confident that no exploit happened as a result of this bug.
Суббота, Сентябрь 27, 2014
Powered by WHMCompleteSolution
