This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bash security vulnerbility

Hey Everyone,

With the new news (SHELL SHOCK: Bash bug blows holes in Unix, Linux, OS X systems) about the bash shell today do we know if and when Sophos is going to release a patch for this?  

I apologize if I'm posting this in the wrong section but well none of the other sections looked like this belonged in there.  Thanks.


This thread was automatically locked due to age.
Parents
  • On UTM 9.x, httpd runs in chrooted jail. Nevertheless, CGI is enabled in WebAdmin and bash is the default shell for httpd processes.

    utm:/root # grep -i cgi `find /var/sec/chroot-httpd/ -name '*.conf' 2> /dev/null`
    
    /var/sec/chroot-httpd/etc/httpd/vhost/httpd-webadmin.conf:    Options Followsymlinks ExecCGI
    /var/sec/chroot-httpd/etc/httpd/vhost/httpd-webadmin.conf:    AddHandler fcgid-script .plx
    /var/sec/chroot-httpd/etc/httpd/httpd.conf[:D]irectoryIndex index.plx redirect.cgi
    /var/sec/chroot-httpd/etc/httpd/httpd.conf:# mod_fcgid
    /var/sec/chroot-httpd/etc/httpd/httpd.conf:LoadModule fcgid_module /usr/libexec/apache2/mod_fcgid.so
    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidMaxProcesses 10
    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidMaxRequestLen 536870912
    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidBusyTimeout 60
    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidErrorScanInterval 60
    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidConnectTimeout 60
    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidIOTimeout 60
    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidSpawnScoreUpLimit 100
    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidMaxProcessesPerClass 100
    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidSpawnScore 0
    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidTerminationScore 0
    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidIPCDir /tmp/sock
    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidProcessTableFile /tmp/fcgid_shm
    /var/sec/chroot-httpd/etc/httpd/httpd.conf:AddHandler cgi-script .pl .cgi .plc

    utm:/root # ps aufxe | grep -E "^wwwrun" | head -1 | sed -r "s/ /\n/g" | grep -E "^SHELL="
    SHELL=/bin/sh

    utm:/root # ls -l /var/sec/chroot-httpd/bin/*sh*
    -rwxr-xr-x 1 root root 554984 Sep  9 16:12 /var/sec/chroot-httpd/bin/bash
    lrwxrwxrwx 1 root root      4 Sep  9 16:12 /var/sec/chroot-httpd/bin/sh -> bash


    UTM 9.206 includes vulnerable bash:

    loginuser@utm:/home/login > export VAR1='() { ignored; }; /usr/bin/id'
    
    loginuser@utm:/home/login > bash
    uid=100(loginuser) gid=100(users) groups=100(users)
    loginuser@utm:/home/login >


    Still hoping that mod_fcgid, unlike mod_cgi, does not use shell as a "glue". I've not yet examined sources.
  • What about the DHCP client ?
Reply Children
No Data