John's Blog: The "Shellshock" Vulnerability

Sept 29, 2014

First, as I wrote about when the "Heartbleed" bug was first reported, it is important to keep generalized security bulletins in perspective. Failure to follow basic server administration practices, like those described in the "Server Security" article in the Rumpus package, represents the most serious threat in most environments. Regardless of the status of your server as it relates to Shellshock (or Heartbleed), please be sure to always follow common-sense security procedures that are appropriate for your specific server. For details, see:

SSL Vulnerabilities

The "Shellshock Vulnerability", also known as the "Bash Bug", is described in detail here:

Vulnerability Summary for CVE-2014-6271

Bash is the Unix shell program that is used to process commands issued either by users (via the Terminal) or other programs (like Rumpus). The vulnerability we are talking about refers to how Bash handles environment variables, and the fact that Bash may execute text stored in environment variables as arbitrary commands.

Rumpus does use Bash when it performs various functions provided by other programs that are part of OS X. The most notable example is when Rumpus needs to generate a zip archive, for example to allow users to download multiple files via the Web interface. In this case, Rumpus uses Bash to invoke the zip utility. Other examples include use of the OpenSSL program to determine it's installed version and the "ps" utility to find Rumpus' own process ID.

By default, Rumpus does not set or use environment variables in the commands/scripts it executes via Bash. Rumpus also does not execute arbitrary scripts or CGIs created either by server administrators or end users. At this time, I am not aware of any way that the Shellshock bug could be exploited through a default Rumpus server installation.

With that said, there are at least 2 possible ways in which a Rumpus server could be vulnerable to this form of attack.

The first case involves the use of other services, for example SSH, on the server. As described in the "Server Security" article, it is important to limit the services enabled on your server to those that are necessary for it's function. In this case, Rumpus wouldn't actually be used to exploit the vulnerability at all, but it's an important point for Rumpus server administrators to bear in mind.

Rumpus itself could potentially be used by an attacker if you have defined Event Notices of the type "Shell Script", and those scripts include the use of environment variables. Doing this is pretty uncommon, and if you aren't sure if your server uses Shell Script notices, it probably doesn't. However, if you have written Shell Scripts executed as Event Notices, and they include the use of environment variables, my strong recommendation is that you disable use of those Event Notices immediately, until Apple has issued a patch for the Bash utility that corrects the problem.

To summarize... Assuming you (as the Rumpus server administrator) have followed common-sense security practices appropriate for your server, and you haven't created Shell Script Event Notices that use environment variables, I don't believe that the Shellshock vulnerability can be exploited through Rumpus. Of course, when an update to Bash that corrects the problem is released by Apple, applying the update certainly makes sense to protect against exploits (within Rumpus or some other component of the system) that might be found later.

As always, if you have additional questions or concerns, send me e-mail at support@maxum.com.

Important Update! Apple has issued a patch that corrects the problem in the system. The fix should resolve the issue not only for Rumpus service but other services that might be running as well.

http://appleinsider.com/articles/14/09/29/apple-releases-bash-update-to-plug-shellshock-flaw

© Copyright 2017, Maxum Development Corp.