AutoSys Workload Automation

Expand all | Collapse all

GNU Bourne Again Shell (Bash) 'Shellshock' Vulnerability (CVE-2014-6271, CVE-2014-7169)

  • 1.  GNU Bourne Again Shell (Bash) 'Shellshock' Vulnerability (CVE-2014-6271, CVE-2014-7169)

    Posted 09-26-2014 12:28 AM

    Around 14:00 GMT on Wednesday September 24 an advisory was published on a serious vulnerability (CVE-2014-6271, CVE-2014-7169) in the Bash shell.

    The Bash shell is a common command interpreter used in most Linux/Unix operating systems as well as Apple Mac OS X.

    The flaw allows an attacker to remotely execute commands by attaching them to variables that can get executed as the shell is invoked.

    This bug scored a 10 out of 10 for both potential damage and ease of exploitation in the Department of Homeland Security vulnerability database.

     

    The following command can be run to test if your system is at risk:

     

    env x='() { :;}; echo shellshock' `which bash` -c "echo completed"

     

    If the word shellshock is printed to stdout then your system is at risk.

     

    If you are not vulnerable, then the following may be shown:

     

    bash: warning: x: ignoring function definition attempt

    bash: error importing function definition for ‘x’

     

    Many vendors, like Red Hat, are releasing guidance on patching the bug. We recommend that all customers take steps to secure systems as a matter of priority. Please note that some patches do not completely address the vulnerability. It will be necessary to look for future patches as they become available from vendors. Contact your operating system vendor for updated information.



  • 2.  Re: GNU Bourne Again Shell (Bash) 'Shellshock' Vulnerability (CVE-2014-6271, CVE-2014-7169)

    Posted 09-26-2014 11:54 AM

    Without wanting to logon to each Linux server I created an ESP Application to use your command.

     

    I added a "| grep shellshock" at the end.

     

    This enables the exit status of the command to be checked.

     

    If it is 0 the vulnerability it present, if it is a 1 the vulnerability is NOT present.

     

    I split command up into 2 variables (Cmd1 and Cmd2) to avoid continuation characters.

     

    Note the difference between the various punctuation characters.

     

    Using conditional release one of two different SELFCOMPLETING tasks are called.

     

    Output is send to user with SEND command as well as being written to a Variable Table.  You can use both or the method your prefer.

     

    Create the Variable Table with VTDEFINE [Table]

     

    Create the Event to invoke the ESP Application.

     

    Trigger Event for any/all Linux agents

     

    ESP Application

     

    PROCEDURE_SECTION:                                                           

    APPL CHKLINUX                                                 

    AgentName=%USER1                                              

    AgentChkTable="CHKLINUX"                                      

    Cmd1="env x='() { :;}; echo shellshock' `which bash`"         

    Cmd2=" -c 'echo completed'| grep shellshock"                  

                                                                   

    LINUX_JOB CHKLINUX                                            

       AGENT %USER1                                             

       CMDNAME /bin/bash                                        

       USER <valid user>                                             

       ARGS -c "%Cmd1%Cmd2"                                     

       RELEASE ADD(CHK4FLAW) COND(RC(0))                        

       RELEASE ADD(PASSFLAW) COND(RC(1))                        

       EXITCODE 0-1 SUCCESS                                     

       RUN ANYDAY                                               

    ENDJOB                                                      

                                                                       

    JOB CHK4FLAW TASK SELFCOMPLETING                                   

       SEND 'Agent %AgentName needs to be checked.' USER(*)            

       VSET %AgentName 'FAILED - flaw check' TABLE(%AgentChkTable)     

       RUN ANYDAY                                                      

    ENDJOB                                                             

                                                                       

    JOB PASSFLAW TASK SELFCOMPLETING                                   

       SEND 'Agent %AgentName successfully PASSED flaw check.' USER(*) 

       VSET %AgentName 'PASSED - flaw check' TABLE(%AgentChkTable)     

       RUN ANYDAY                                                      

    ENDJOB



  • 3.  Re: GNU Bourne Again Shell (Bash) 'Shellshock' Vulnerability (CVE-2014-6271, CVE-2014-7169)

    Posted 09-29-2014 11:59 AM

    how is it affecting CA WLA software?



  • 4.  Re: GNU Bourne Again Shell (Bash) 'Shellshock' Vulnerability (CVE-2014-6271, CVE-2014-7169)

    Posted 09-29-2014 12:50 PM

    In terms of Workload Automation AE, CGI (one of the main points of attack) is disabled and not used in the Tomcats supplied with WCC and the Web Server. That is only one attack vector however. Additional Apache hardening guidance is available via the web (e.g. security.stackexchange.com)

    The bash shell can be used in jobs, but that is at the discretion of the users. Bash is not the default shell used by the Workload Automation Agents unless /bin/sh is linked to bash on the system.

    For 11.3.x agents the bash shell can be disabled for jobs by removing bash from the oscomponent.validshell parameter in the agentparm.txt file.

    Also ensure that /bin/sh is not linked to bash.

    Here are the key parameters:

    oscomponent.defaultshell=/bin/sh

    oscomponent.validshell=/usr/bin/sh,/bin/csh,/bin/ksh,/bin/sh,/bin/bash

    oscomponent.checkvalidshell=true

     

    The best steps to take to secure your server is to patch or upgrade bash.