Bash Code Injection Vulnerability

Home Page Forums Network Management ZeroShell Bash Code Injection Vulnerability

This topic contains 7 replies, has 0 voices, and was last updated by  jvn 4 years, 9 months ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #44046

    jvn
    Member

    — Edit —
    As Gordonf answer to me ZeroShell is unreachable from outside network and thus is not concerned by Bash code injection.

    — End Edit —

    Dear Fluvio,

    A new security issue was published yesterday, this impacts all Linux version.
    more details on https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

    I checked my ZeroShell 3.0 installation with the following code:

    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

    Zeroshel is vulnerable… 🙁

    Please will/can you publish an update for this ?
    The patch proposed is here : http://www.openwall.com/lists/oss-security/2014/09/25/10

    Best regards,
    Jean

    #53465

    gordonf
    Member

    I understand that only the Zeroshell administrator can introduce scripts to the default system, such as by editing the post-boot script. How does some random user that doesn’t have access to the ZS console or admin pages exploit this vulnerability?

    #53466

    jvn
    Member

    Hi,

    i don’t know if Zeroshell is concerned (I hope not).
    But it can…

    Did you look at this video from Symantec ?
    https://www.youtube.com/watch?v=ArEOVHQu9nk

    They explain how use it with cgi files if variables are used.

    #53467

    gordonf
    Member

    First off, I hate fearmongers. And Symantec makes its money by spreading fear. So let’s get my strong bias out in the open.

    Now let’s see how a bash exploiter can exploit ZS:

    * From the internet: The ZS UI by default restricts access to its web UI to private IP ranges. If you’re foolish enough to override this default, there’s the next problem:

    * The admin credentials: To even see the UI CGI you need the admin password. If you have teenage kids behind your ZS router, you likely have a better password than ‘password.’ I hope.

    * Malware on the inside network: That’s assuming you administer ZS from an infected PC; if so, you have worse problems than malware exploiting your router. And I have a whole web series on preventing unwanted software, at least on Windows clients.

    * Captive Portal or optional Squid Proxy: Isn’t this built with hostile clients in mind? There are a handful of examples of blocking inbound SQL exploits that could apply to a Squid running on ZS that’s caching outbound requests; block bash escape sequences like one would block SQL ones.

    If you’re a ZS admin who’s really worried about this until Fulvio releases a fix, make sure the web UI is restricted to NICs and IP ranges you trust, and pick a strong admin password. If you use captive portal, add some URL filtering and you might even catch your own users exploiting outside hosts.

    Above all, don’t panic.

    #53468

    jvn
    Member

    Hi gordonf,

    Thank you for your detailed and clear answer.

    I was too busy to update my other servers to think properly by myself…

    So you’re absolutely right, (my) ZeroShell is protected from outside and, so is out of reach of malicious person.

    I’ll edit my first message to avoid that people think that ZeroShell is compromised by this security hole.

    Next time, i hope i’ll use my brain…

    Best regards,
    Jean

    #53469

    imported_fulvio
    Participant

    Hi,
    this bug of the Bash makes Zeroshell vulnerable so you should urgently install the release 3.2.0 that contains a patched version of the bash. Do not forget that also the captive portal login page can be exploited.

    Regards
    Fulvio

    #53470

    gordonf
    Member

    What if you’re not using captive portal though? Is the admin logon page vulnerable too?

    I can see this being more of a problem for public hotspot hosts with lots of unknown clients, than at one’s business or home network where the clients are known and managed.

    I’m working on a OVA template for 3.2 now; all done. I note that this kernel has the vmxnet3 NIC driver as well (!)

    #53471

    imported_fulvio
    Participant

    Surely the admin page is vulnerable.
    Regards
    Fulvio

    #53472

    jvn
    Member

    Hi Fluvio,

    Thanks for your update.

    I think as Gondorf says that this security issue impacts only (my) internal network (we don’t use captive portal, only admin website on LAN is vulenerable).

    But i updated our system to be sure 🙂
    I took the opportunity to install the new version on the hard drive with installation manager 😉

    Best regards,
    Jean

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.