Bash Exploit / Shellshocker and Lightning Base
We don’t generally discuss server/software vulnerabilities on this blog unless we’re making a change/update that will affect client sites. But when issues hit the general media and we start to get support tickets asking if we’re aware about the problem, I like to post a general update for everyone so clients know we’re taking care of things.
If you don’t want to read all this, yes, we have updated bash and our systems should be secure. If you’re interested in some details:
Recently there have been a number of articles, both in the WordPress community and on more general tech sites about a bash (bourne-again shell) exploit, often referred to as ‘Shellshocker’. This is a serious vulnerability, largely because it affects an extremely wide variety of machines, everything from servers on various operating systems to embedded systems. It is not something that is easy to exploit on many machines, but as researchers look into it further an expanding number of ways to take advantage of the problem seem to be popping up. I don’t believe it would be good for anyone to assume un-patched systems are safe.
The vulnerability first came to our attention yesterday morning. That afternoon a patch was released from Redhat and to CentOS and Cloudlinux. We upgraded bash on all systems shortly after the updated versions reached the respective repositories. From what I’m seeing in our logs, there were a few scans that appear to be security researchers testing for vulnerabilities at that point, who have been followed by actual malicious exploit attempts today.
We also put in place webapp firewall rules to block the attack before patches were released. Rules like that are rarely 100%, the rule has to be perfect to block all attacks. But it makes it more difficult for exploit attempts to get through, and at this point I don’t believe they were even necessary, the patches appear to have rolled out before malicious attempts to exploit the vulnerability hit our systems.
Redhat/Linux developers are still looking at a second issue with Bash. My understanding is that this is a harder-to-exploit vulnerability, but also harder to patch. Once they have settled on a fix and rolled that out to the repositories, we will be updating again to make sure the systems are secure.
UPDATE: The fix for the second portion of the vulnerability (CVE-2014-7169) has been released and applied to all of our systems.
This isn’t something that our clients should have to worry about, but if you have any questions, don’t hesitate to open a ticket in our client area.