Thursday, October 9, 2014

Shellshock and CloudStack [feedly]



----
Shellshock and CloudStack
// CloudStack Consultancy & CloudStack...

Shellshock is the family of bugs in the Unix Bash shell which allows an attacker to execute arbitrary commands on a vulnerable system potentially allowing an attacker to gain full access to that system. The bug (CVE-2014-6271) was first disclosed on 24 September 2014, upon closer inspection of the code, related vulnerabilities (CVE-2014-6277CVE-2014-6278CVE-2014-7169CVE-2014-7186, and CVE-2014-7187) were discovered. The bug is thought to have been in the Bash code since 1992.

Protecting Against Shellshock Attacks In a CloudStack Environment

The first line of defense is to keep all management functions in a private, firewalled network; denying would-be attackers to opportunity to reach vulnerable systems.

The next step is to patch all management servers (ie CloudStack Management servers, MySQL servers, BIND DNS servers etc.) running Linux OSes. Either yum update bash or apt-get update; apt-get install –only-upgrade bash will work on most Linux flavours.

The usual precautions should be taken when doing updates; ensuring you have good backups and taking systems to be patched off-line before commencing.

KVM compute hosts can also be patched in this way using yum or apt-get. For VMware and Citrix based hosts you should consult the relevant vendor's statements on patching. At the time of writing, Citrix's statement with respect to XenServer was that 'some risk may exist for management interfaces', but that they were continuing their analysis. This also applied to the open source versions of XenServer.

Potentially the most complicated step is patching the system VMs as these can be rebuilt from the templates, so the templates must be patched as well.  As the system VMs are Debian based, then apt-get update; apt-get install –only-upgrade bash will update bash to a patched version.

The final step is to remind all creators/users of Linux based guest instances to patch their virtual machines.


----

Shared via my feedly reader


Sent from my iPhone

No comments:

Post a Comment