› Forums › Network Management › ZeroShell › Bash Code Injection Vulnerability
- This topic is empty.
-
AuthorPosts
-
September 26, 2014 at 7:50 am #44046
jvn
Member— Edit —
As Gordonf answer to me ZeroShell is unreachable from outside network and thus is not concerned by Bash code injection.— End Edit —
Dear Fluvio,
A new security issue was published yesterday, this impacts all Linux version.
more details on https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/I checked my ZeroShell 3.0 installation with the following code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Zeroshel is vulnerable… π
Please will/can you publish an update for this ?
The patch proposed is here : http://www.openwall.com/lists/oss-security/2014/09/25/10Best regards,
JeanSeptember 26, 2014 at 1:02 pm #53465gordonf
MemberI understand that only the Zeroshell administrator can introduce scripts to the default system, such as by editing the post-boot script. How does some random user that doesn’t have access to the ZS console or admin pages exploit this vulnerability?
—September 26, 2014 at 2:28 pm #53466jvn
MemberHi,
i don’t know if Zeroshell is concerned (I hope not).
But it can…Did you look at this video from Symantec ?
https://www.youtube.com/watch?v=ArEOVHQu9nkThey explain how use it with cgi files if variables are used.
September 27, 2014 at 2:43 am #53467gordonf
MemberFirst off, I hate fearmongers. And Symantec makes its money by spreading fear. So let’s get my strong bias out in the open.
Now let’s see how a bash exploiter can exploit ZS:
* From the internet: The ZS UI by default restricts access to its web UI to private IP ranges. If you’re foolish enough to override this default, there’s the next problem:
* The admin credentials: To even see the UI CGI you need the admin password. If you have teenage kids behind your ZS router, you likely have a better password than ‘password.’ I hope.
* Malware on the inside network: That’s assuming you administer ZS from an infected PC; if so, you have worse problems than malware exploiting your router. And I have a whole web series on preventing unwanted software, at least on Windows clients.
* Captive Portal or optional Squid Proxy: Isn’t this built with hostile clients in mind? There are a handful of examples of blocking inbound SQL exploits that could apply to a Squid running on ZS that’s caching outbound requests; block bash escape sequences like one would block SQL ones.
If you’re a ZS admin who’s really worried about this until Fulvio releases a fix, make sure the web UI is restricted to NICs and IP ranges you trust, and pick a strong admin password. If you use captive portal, add some URL filtering and you might even catch your own users exploiting outside hosts.
Above all, don’t panic.
September 29, 2014 at 1:00 pm #53468jvn
MemberHi gordonf,
Thank you for your detailed and clear answer.
I was too busy to update my other servers to think properly by myself…
So you’re absolutely right, (my) ZeroShell is protected from outside and, so is out of reach of malicious person.
I’ll edit my first message to avoid that people think that ZeroShell is compromised by this security hole.
Next time, i hope i’ll use my brain…
Best regards,
JeanOctober 1, 2014 at 3:30 am #53469imported_fulvio
ParticipantHi,
this bug of the Bash makes Zeroshell vulnerable so you should urgently install the release 3.2.0 that contains a patched version of the bash. Do not forget that also the captive portal login page can be exploited.Regards
FulvioOctober 1, 2014 at 2:55 pm #53470gordonf
MemberWhat if you’re not using captive portal though? Is the admin logon page vulnerable too?
I can see this being more of a problem for public hotspot hosts with lots of unknown clients, than at one’s business or home network where the clients are known and managed.
I’m working on a OVA template for 3.2 now; all done. I note that this kernel has the vmxnet3 NIC driver as well (!)
—October 1, 2014 at 6:24 pm #53471imported_fulvio
ParticipantSurely the admin page is vulnerable.
Regards
FulvioOctober 2, 2014 at 11:12 am #53472jvn
MemberHi Fluvio,
Thanks for your update.
I think as Gondorf says that this security issue impacts only (my) internal network (we don’t use captive portal, only admin website on LAN is vulenerable).
But i updated our system to be sure π
I took the opportunity to install the new version on the hard drive with installation manager πBest regards,
Jean -
AuthorPosts
- You must be logged in to reply to this topic.