Shellshock is the family of bugs in the Unix Bash shell which allows an attacker to execute arbitrary commands on a vulnerable system potentially allowing an attacker to gain full access to that system. The bug (CVE-2014-6271) was first disclosed on 24 September 2014, upon closer inspection of the code, related vulnerabilities (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187) were discovered. The bug is thought to have been in the Bash code since 1992.
Protecting Against Shellshock Attacks In a CloudStack Environment
The first line of defense is to keep all management functions in a private, firewalled network; denying would-be attackers to opportunity to reach vulnerable systems.
The next step is to patch all management servers (ie CloudStack Management servers, MySQL servers, BIND DNS servers etc.) running Linux OSes. Either yum update bash or apt-get update; apt-get install –only-upgrade bash will work on most Linux flavours.
The usual precautions should be taken when doing updates; ensuring you have good backups and taking systems to be patched off-line before commencing.
KVM compute hosts can also be patched in this way using yum or apt-get. Citrix have released a patch for XenServer https://support.citrix.com/article/CTX200223. This also applies to the open sourced versions of XenServer. VMware ESXi is not effected as it does not use bash, however other components of a vSphere environment may be effected so consult http://www.vmware.com/security/advisories/VMSA-2014-0010.html for details
Potentially the most complicated step is patching the system VMs as these can be rebuilt from the templates, so the templates must be patched as well. As the system VMs are Debian based, then apt-get update; apt-get install –only-upgrade bash will update bash to a patched version.
The final step is to remind all creators/users of Linux based guest instances to patch their virtual machines.
Steve is ShapeBlue’s COO and is responsible for all day-to-day administrative and operational functions of the business, including the consulting, programme management, and support functions.
Involved with CloudStack since 2012, Steve has led several large customer engagements including a number of major public and private cloud deployments; co-ordinated and developed worldwide teams and helped implement and deliver an enterprise grade support product.
Prior to ShapeBlue, Steve held senior technical, project and account management roles in enterprise IT outsourcing companies where he gained domain experience in the finance, professional services and defence markets.
Away from work, Steve is a father, keen guitarist, snowboarder and singer (not necessarily in that order).
Away from work, Steve is a music lover and semi-professional musician. Although he doesn’t speak at many technology conferences, he can sometimes be heard providing the evening entertainment.
