Friday, September 26, 2014

Security Alert: bash Code Injection Vulnerability

This morning got brought to attention by my colleague, Iwan regarding this bash Code breached.  I am no linux or unix guy but when comes to security this is not to be play with especially in industry where security and compliance is highly evaluated.

A security vulnerability was detected known as "Shell Shock" which is a bash shell commonly found in unix and linux platform.  You can refer to CVE-2014-6271, CVE-2014-7169.

VMware was fast to publish this discover as well and you can read the post here and also to follow up with this KB on what products will be impacted.  So check back the KB to see which product from VMware is impacted and how to mitigate.

Note: that ESXi are not impacted with this "Shell shock" vulnerability.

As for other platforms, you would have to look back to your respective principle to find out if it is affected and the solution to resolve.

Update 29th Sept 2014
As extracted from CSOOnline, CentOS versions 5-7, Ubuntu 10.04, 12.04, and 14.04 (all LTS versions), Debian, Mac OS X, and Red Hat Enterprise Linux 4-7, are all vulnerable.

Update 30th Sept 2014
VMware Products that are affected are mentioned in the KB above listed.  VMware customer portals  are NOT affected is documented in this KB.  Great news for those still running out of support vSphere 4.x, VMware will also provide update for ESX 4.x as an exception though it has been out of VMware lifecycle policies.

Also companies that utilizes linux for the intelligence/function in their products just to list a few e.g. Nutanix has also publish their support note with and advisory note, TrendMicro tech note for a list of their vulnerabilities, Symantec here, Palo Alto Network note, Cisco Systems Advisory, Oracle Security Alert, etc.

Update 1st Oct 2014
From the list of product in the VMware Security Advisory VMSA-2014-0010, VMware Log Insight is the first product to get patched.

Update 2nd Oct 2014
Shellshock Security Update:
  • vCenter Operations Manager 5.8.3
  • vCloud Automation Center 6.1
  • vCloud Automation Center
  • vCloud Automation Application Services Center 6.1
  • vCloud Application Director 6.0.1
  • vFabric Application Director 5.2
  • IT Business Management Standard 1.1.0 and 1.0.1
  • vCenter Support Assistant
  • vCenter Orchestrator 4.2.3
  • vCenter Orchestrator 5.1.2
Update 3rd Oct 2014
Shellshock Security Update:
  • vCenter Orchestrator
  • vFabric Hyperic 5.0.3
  • vFabric Hyperic 5.7.2
  • vCenter Hyperic 5.8.3
  • vCenter Infrastructure Navigator 2.0.1
  • vCenter Infrastructure Navigator 5.7.1
  • vCenter Infrastructure Navigator 5.8.3
  • vSphere App HA 1.1.1
Xen Project seems to have a larger vulnerability due to ShellShock.  Companies that user Xen as their hypervisor include Citrix, Oracle and Huawei from what I remember.  Read up this article.

Update 4th Oct 2014
Shellshock Security Update:

  • vCloud Networking and Security &
  • NSX for vSphere 6.0.7 & 6.1.1
  • NSX for Multi-Hypervisor 4.1.4 & 4.2.1
Update 7th Oct 2014
Check back VMSA-2014-0010 for all the products as at time of writing almost all products are been patched.

No comments:

VMware Certification: Recertification Changes

These few days there are many discussion regarding VMware Certification changes. If you are not aware here is a summary. Over the last two...