Summary
The shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169) is a security bug affecting Unix-like operating systems through the Bash shell. Many Linux distributions and Mac OS X include the affected GNU Bash version. An attacker can exploit the vulnerability via remote shell access, or through any application that may execute Bash scripts. The vulnerability could allow a remote attacker to execute arbitrary code.
Impact on Kerio Products
Kerio Control does not include the Bourne-Again shell (Bash) and is not affected by this vulnerability. All Linux systems in the Samepage infrastructure are up to date and are not vulnerable. Kerio Connect Virtual Appliance has the affected Bash version within the underlying operating system, but does not pass user-supplied data into the Bash environment and therefore cannot be misused by an attacker. Kerio Operator (all versions and editions) has the affected Bash version and could be exploited through the DHCP server (if enabled) from devices on the local network.
Samepage
No action necessary. All Linux systems in the Samepage infrastructure are up to date.
Kerio Control (All Editions / Versions)
No action necessary. The affected Bourne-Again shell (Bash) is not implemented in Kerio Control.
Kerio Operator (Virtual Appliance, Software Appliance, and Box Editions)
Kerio Operator (up to version 2.3.2) has the affected Bash shell and the vulnerability is exploitable via DHCP if the attacker has access to the local network. A patched version (2.3.2 Patch 1) is available from the Kerio Operator download page.
Kerio Connect (Virtual Appliance, Linux, and Mac OS X)
We recommend installing the appropriate operating system updates to fix this vulnerability on the operating system level. This is highly encouraged if there are other services on the same server (beside Kerio Connect). This is valid for all Linux and Mac OS X distributions. Use the default updating mechanism in your operating system to get the latest updates. Make sure you are running the latest distribution version, which receives a security update for this vulnerability.
For Debian (read more) and Ubuntu (read more) use sudo apt-get update and sudo apt-get upgrade commands, for CentOS use sudo yum update (read more). Users with Kerio Connect Virtual Appliance may need to modify server configuration to get latest updates (see below). On OS X use default “Software Update” application or install an update. Refer to the Mac OS X links below for additional information.
Kerio Workspace (Virtual Appliance)
Follow the Debian 6 (Squeeze) instructions below from Kerio Connect Virtual Appliance update. If you do not have nano, you can install it using the following command:
apt-get install nano
Kerio Connect Virtual Appliance update
Before running apt-get update command please make sure that /etc/apt/sources.list file contains updated list of Debian package repositories. The list should contain three repositories: main packages, updates and security updates.
To edit the file, use the following command:
sudo nano /etc/apt/sources.list
For Debian 7 (Wheezy) the file should contain:
deb http://ftp.debian.org/debian wheezy main deb-src http://ftp.debian.org/debian wheezy main deb http://ftp.debian.org/debian wheezy-updates main deb-src http://ftp.debian.org/debian wheezy-updates main deb http://security.debian.org/ wheezy/updates main deb-src http://security.debian.org/ wheezy/updates main
For Debian 6 (Squeeze) the file should contain:
deb http://ftp.debian.org/debian/ squeeze main contrib deb-src http://ftp.debian.org/debian/ squeeze main contrib deb http://security.debian.org/ squeeze/updates main contrib deb-src http://security.debian.org/ squeeze/updates main contrib deb http://ftp.debian.org/debian squeeze-lts main contrib deb-src http://ftp.debian.org/debian squeeze-lts main contrib
References
- https://access.redhat.com/node/1200223
- https://community.qualys.com/blogs/securitylabs/2014/09/24/bash-remote-code-execution-vulnerability-cve-2014-6271
- http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html
https://www.us-cert.gov/ncas/alerts/TA14-268A
Priyanka Bhotika
Comments