vicidial.org

[Nefariousparity]

Basically it is a code injection attack. Where through apache someone could potentially run commands on your system by having the service issue commands to command line via bash. It has been a bug in bash for 25 years. The quick and simple test is first anything 4.3 and below.

you can do "#>bash --version" to find version

Test Code is

env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"

If it echos back busted stuff you are vulnerable.

http://www.troyhunt.com/2014/09/everyth ... about.html

[williamconley]

Um ... it only exploits if YOU have the system running bash commands and YOU have set that bash command sequence to use ENV variables to hold data that you accepted over the web. Doesn't seem like a particularly good idea on the face of it, and I'm not surprised at all that anyone doing this would get caught with their pants down. But it's not related to Vicidial in any way (in any distro, anywhere, ever), as far as I can tell from the documentation.

Additionally, if you've whitelisted your system (as you should), none of these attackers will have the opportunity to even test your system for the vulnerability. This is why we published Dynamic Good Guys a few years back. Whitelist is the way to go for a server that does not need to be public in the first place.

PS: CGI? Who uses that these days anyway?

[geoff3dmg]

CGI can be vulnerable because /bin/sh -> /bin/bash. I checked my Vicibox machines yesterday and they were vulnerable. SUSE were timely with patches though so they've been updated. I agree with Willam though, you shouldn't let every tom, dick and harry access your ViciDIAL. Defence in depth is a thing.

[williamconley]

We don't use CGI. CGI being vulnerable means diddley to us. If they decide php is vulnerable, that's a different story. On a funny note, an old client box running Ubuntu is NOT vulnerable. But everything SuSE is. LOL

[DomeDan]

Either way, its a serious vulnerability and it might be exploited through php, asterisk, ssh or any other service on the server
so it should be fixed at the source and not just rely on the whitelist.

Thank you Nefariousparity for posting this!

[williamconley]

Either way, its a serious vulnerability and it might be exploited through php, asterisk, ssh or any other service on the server
so it should be fixed at the source and not just rely on the whitelist.

Thank you Nefariousparity for posting this!

Um ... no. It won't be exploited through any process that does not utilize ENV variables in bash. PHP and asterisk do not do this. And anyone who has ssh access to your server already has bash and has no need of this exploit. And in all cases if you have whitelisted your system, the attacker has no access to exploit anything until they find an exploit that will crack IPTABLES from the outside.

This may be a far-reaching vulnerability, but it still has limited scope. The systems affected are major, but they're NOT Vicidial.

[gardo]

Running "yum update" should fix this vulnerability on GOautodial CE.

[williamconley]

We've found on most machines on all OSs (still supported ...) that just updating bash solves the problem in 30 seconds.

for instance in Vicibox:

Code: Select all

env var='() { ignore this;}; echo vulnerable' bash -c /bin/true
zypper --non-interactive up bash
env var='() { ignore this;}; echo vulnerable' bash -c /bin/true

If you see "vulnerable" the first time, the second run after the update should not show it again.

[Nefariousparity]

Wow, sorry guys I forgot I posted this in the hasty call center environments I work in! Great extra knowledge!. All of my rigs, do use the dynamic good guys whitelist. And anyone outside the office(S) I have setup OPENvpn for them.

Excuse my posting diarrhea if I just posted a possible exploit and ran off without saying anything! You guys have definitely seemed to clear this up.
As a huge fan of ViciBOX and GoAuto, and the glorious community here. I thought I finally had something to contribute instead of ask for help!