I still think that patching bash is the best option. There are a load of scripts on the system vm that explicitly use bash (/opt/cloud/bin for example) which take input from the management server so you'd need to audit all of the input validation rules on the API (maybe it's safe already). Bear in mind that for a public cloud, legitimate users cannot be assumed to be trusted. There is also a way to exploit DNSMasq simply by supplying malicious options in a DHCP request on a client machine. This does rely on a specific setting in the DNSMasq config which is not set by default as far as I'm aware so that should at least be safe until someone decides to use the feature. My point is that simply scanning the system VM with a tool designed for web servers will help but will only test a relatively small percentage of potential attack vectors.
These are just a couple of potential attack vectors that I've identified and I wouldn't have the first clue about programming and have very limited Linux experience. Surely this is a ticking timebomb until bash is patched? I'm slightly concerned that so few people appear to care about this. Is anyone running commercial offerings based on CS concerned about this and the corresponding compliance issues it raises? Both Amazon and Rackspace took fairly rapid (and disruptive) action over XSA-108 which has an almost trivial impact compared with shellshock. The only solution I can think of is to 'apt-get update bash' on every system VM but clearly these get fired up dynamically. Is it possible to boot the template, make modifications and then use as a replacement system VM? Are there processes that happen on boot that only happen once and therefore need resetting to recreate the template? -----Original Message----- From: Santhosh Edukulla [mailto:santhosh.eduku...@citrix.com] Sent: 02 October 2014 23:10 To: dev@cloudstack.apache.org Subject: RE: Shellshock We may use the below scanner to identify this vulnerability. One of our ex-colleague has written it, its a remote, network scanner and available as free download. http://blog.crowdstrike.com/crowdstrike-shellshock-scanner/ Seems configurable with custom paths. Please check the note at the end. Regards, Santhosh ________________________________________ From: Demetrius Tsitrelis [demetrius.tsitre...@citrix.com] Sent: Wednesday, October 01, 2014 1:59 PM To: <dev@cloudstack.apache.org> Subject: RE: Shellshock Actually, I am not sure. Only the env.cgi script is loaded and, while the other scripts are in perl, there is nothing in the video which shows the source for the env.cgi script so it may not be perl. -----Original Message----- From: Demetrius Tsitrelis [mailto:demetrius.tsitre...@citrix.com] Sent: Wednesday, October 01, 2014 10:52 AM To: <dev@cloudstack.apache.org> Subject: RE: Shellshock Interestingly this video shows attack against a perl script... https://www.youtube.com/watch?v=ArEOVHQu9nk -----Original Message----- From: Demetrius Tsitrelis [mailto:demetrius.tsitre...@citrix.com] Sent: Monday, September 29, 2014 6:13 PM To: <dev@cloudstack.apache.org> Subject: RE: Shellshock http://systemvm-public-ip/cgi-bin/ipcalc is a perl script. -----Original Message----- From: Sheng Yang [mailto:sh...@yasker.org] Sent: Monday, September 29, 2014 5:21 PM To: <dev@cloudstack.apache.org> Subject: Re: Shellshock http://systemvm-public-ip/cgi-bin/ipcalc is NOT a bash script, so it's normal that it cannot be exploited. --Sheng On Fri, Sep 26, 2014 at 1:57 PM, Demetrius Tsitrelis < demetrius.tsitre...@citrix.com> wrote: > Do you mean you tried setting the USER_AGENT like in > https://community.qualys.com/blogs/securitylabs/2014/09/25/qualysguard > -remote-detection-for-bash-shellshock > ? > > > -----Original Message----- > From: Ian Duffy [mailto:i...@ianduffy.ie] > Sent: Friday, September 26, 2014 6:56 AM > To: CloudStack Dev > Subject: Re: Shellshock > > Tried this against the latest system vms built on Jenkins. > > Didn't get a successful exploited response. Tested against > http://systemvm > - public-ip/cgi-bin/ipcalc > On 25 Sep 2014 16:56, "Abhinandan Prateek" <agneya2...@gmail.com> wrote: > > > > > After heart bleed we are Shell shocked > > http://www.bbc.com/news/technology-29361794 ! > > It may not affect cloudstack directly as it is a vulnerability that > > affects bash, and allows the attacker to take control of the system > > running bash shell. > > > > -abhi >
