SB-3 2014-09-25 Bash “Shellshock” vulnerability

Service bulletin: SB-3 Date: September 25, 2014

On September 24, 2014, a vulnerability in the Bash shell was announced. Bash is installed on all Bonded Internet nodes and Debian Linux servers, and the flaw can allow an attacker to execute arbitrary code on hosts that are vulnerable in certain ways. The vulnerability is described in CVE-2014-6271 and CVE-2014-7169. Debian has released patches for Bash that fix the flaws described in both CVEs.

We are not aware of any ways that Bonded Internet management or node software is vulnerable to this flaw. However, as a precaution, all management servers were patched on the evening of September 24.

Partners are strongly recommended to upgrade Bash on all their nodes using the solution below.

Affected hosts

  • All nodes

Solution

A script is available that upgrades Bash on all nodes. This script does not result in any service interruption for Bonded Internet end-users.

To upgrade nodes, run these commands on the management server. Do not use the script on bonders or aggregators—it will only work when executed on the management server.

For the latest version of the script, contact Technical Support.

The script logs into each node, determines if Bash is vulnerable, and upgrades Bash if necessary. It works on both Debian Wheezy and Squeeze devices. On Squeeze, it adds the “squeeze-lts” (Long Term Support) software repository to its list of software sources, because standard Squeeze software repositories are no longer updated.

If any nodes are offline when you run the script, you should run it again when the nodes are available. The script does nothing to nodes that have a patched version of Bash, so you can run it multiple times with no issues. If your RSA public key is on nodes, you will not be asked for node passwords. If your RSA public key is not on nodes, you will need to provide the password for each node.

References