Shellshock and CloudStack

, , ,

Shellshock is the family of bugs in the Unix Bash shell which allows an attacker to execute arbitrary commands on a vulnerable system potentially allowing an attacker to gain full access to that system. The bug (CVE-2014-6271) was first disclosed on 24 September 2014, upon closer inspection of the code, related vulnerabilities (CVE-2014-6277CVE-2014-6278CVE-2014-7169CVE-2014-7186, and CVE-2014-7187) were discovered. The bug is thought to have been in the Bash code since 1992.

Protecting Against Shellshock Attacks In a CloudStack Environment

The first line of defense is to keep all management functions in a private, firewalled network; denying would-be attackers to opportunity to reach vulnerable systems.

The next step is to patch all management servers (ie CloudStack Management servers, MySQL servers, BIND DNS servers etc.) running Linux OSes. Either yum update bash or apt-get update; apt-get install –only-upgrade bash will work on most Linux flavours.

The usual precautions should be taken when doing updates; ensuring you have good backups and taking systems to be patched off-line before commencing.

KVM compute hosts can also be patched in this way using yum or apt-get. Citrix have released a patch for XenServer https://support.citrix.com/article/CTX200223. This also applies to the open sourced versions of XenServer. VMware ESXi is not effected as it does not use bash, however other components of a vSphere environment may be effected so consult http://www.vmware.com/security/advisories/VMSA-2014-0010.html for details

Potentially the most complicated step is patching the system VMs as these can be rebuilt from the templates, so the templates must be patched as well.  As the system VMs are Debian based, then apt-get update; apt-get install –only-upgrade bash will update bash to a patched version.

The final step is to remind all creators/users of Linux based guest instances to patch their virtual machines.