@John - Quite agree. It's not just scripts that need checking either. Very unsettling to have a vulnerable version of bash on every system vm, many with direct access to both the CS infrastructure as well as client VMs. All it takes is for someone to find another vector (e.g. DHCP, DNSmasq) other than a script to inject system variables and there's suddenly a MUCH bigger problem.
Is there no way to simply update the version of bash included with the system vm template? At the moment it seems to be version 4.2.37 which is vulnerable (based on http://cloudstack.apt-get.eu/systemvm/4.4/systemvm64template-4.4.1-7-vmware.ova). I'm not too familiar with what happens to the template as it's deployed but if I log in as root/password to the system vm template running as downloaded in VMware Workstation and 'echo $SHELL' I get '/bin/bash' even though '/bin/sh' is a symlink to '/bin/dash'. Perhaps someone is already working quietly on this but surely this should be treated as a fairly major priority? I'd far rather not have bombs in every system vm in the first place regardless of whether people think there aren't any detonators. Adrian -----Original Message----- From: John Kinsella [mailto:j...@stratosec.co] Sent: 30 September 2014 22:57 To: dev@cloudstack.apache.org Subject: Re: Shellshock I’m not worried about any specific use-case, but I’d rather not have vulnerable software running on SSVMs in general. John On Sep 30, 2014, at 2:47 PM, Sheng Yang <sh...@yasker.org<mailto:sh...@yasker.org>> wrote: The parameters of system() function have been verified as valid IP/netmask format by script, so I don't think other parameters would be able to slip in in this case. --Sheng On Tue, Sep 30, 2014 at 8:38 AM, Go Chiba <go.ch...@gmail.com<mailto:go.ch...@gmail.com>> wrote: Hi folks, By my digging, ipcalc included system() function call but debian based our system vm are using dash as system shell. So I think this shellshock concern are not directly affected to system vm cgi-bin. right? GO from my iPhone 2014/09/30 10:13、Demetrius Tsitrelis <demetrius.tsitre...@citrix.com<mailto:demetrius.tsitre...@citrix.com>> のメッセージ: http://systemvm-public-ip/cgi-bin/ipcalc is a perl script. -----Original Message----- From: Sheng Yang [mailto:sh...@yasker.org] Sent: Monday, September 29, 2014 5:21 PM To: <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>> Subject: Re: Shellshock http://systemvm-public-ip/cgi-bin/ipcalc is NOT a bash script, so it's normal that it cannot be exploited. --Sheng On Fri, Sep 26, 2014 at 1:57 PM, Demetrius Tsitrelis < demetrius.tsitre...@citrix.com<mailto:demetrius.tsitre...@citrix.com>> wrote: Do you mean you tried setting the USER_AGENT like in https://community.qualys.com/blogs/securitylabs/2014/09/25/qualysguard -remote-detection-for-bash-shellshock ? -----Original Message----- From: Ian Duffy [mailto:i...@ianduffy.ie] Sent: Friday, September 26, 2014 6:56 AM To: CloudStack Dev Subject: Re: Shellshock Tried this against the latest system vms built on Jenkins. Didn't get a successful exploited response. Tested against http://systemvm - public-ip/cgi-bin/ipcalc On 25 Sep 2014 16:56, "Abhinandan Prateek" <agneya2...@gmail.com> wrote: After heart bleed we are Shell shocked http://www.bbc.com/news/technology-29361794 ! It may not affect cloudstack directly as it is a vulnerability that affects bash, and allows the attacker to take control of the system running bash shell. -abhi Stratosec - Secure Finance and Heathcare Clouds http://stratosec.co o: 415.315.9385 @johnlkinsella<http://twitter.com/johnlkinsella>
