VMware vSphere

Hi, i have a Vcenter

SUSE Linux Enterprise Server 11 (x86_64)

VERSION = 11

PATCHLEVEL = 2

it is BASH CVE-2014-6271  vulnerable.

I have done a

zypper up bash

without fixing the problem:

VCenter:~ # env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

vulnerable

I have read about a patch:

SUSE alert SUSE-SU-2014:1213-1 (bash) [LWN.net]

But i can't install it:

VCenter:~ # zypper in -t patch slessp3-bash-9740

Loading repository data...

Reading installed packages...

'slessp3-bash-9740' not found in package names. Trying capabilities.

No provider of 'patch:slessp3-bash-9740' found.

Resolving package dependencies...

Nothing to do.

What's wrong?

Someone can tell me the right procedure?

Thanks!!!

Well the KB doesnt talk about it yet:

VMware KB: VMware assessment of bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2…

So there might be patches released for the appliance. We will have to wait for updates to the above KB and then update the appliances once a patch is released.

Now for the unofficial stuff( Installing software in VCSA is not officially supported by VMware):, i found this blog

http://www.virten.net/2013/12/howto-install-additional-software-in-vcsa-5/

Which says the additional step that needs to be done is "zypper addrepo"

Regards

Girish

I have tested you "unoffcial" way but nothig:

VCenter:~ # zypper addrepo -f http://download.opensuse.org/distribution/11.2/repo/oss/ opensuse

Adding repository 'opensuse' [done]

Repository named 'opensuse' already exists. Please use another alias.

VCenter:~ # zypper repos -d

# | Alias    | Name     | Enabled | Refresh | Priority | Type  | URI                                                      | Service

--+----------+----------+---------+---------+----------+-------+----------------------------------------------------------+--------

1 | opensuse | opensuse | Yes     | Yes     |   99     | yast2 | http://download.opensuse.org/distribution/11.2/repo/oss/ |       

VCenter:~ # zypper refresh

Repository 'opensuse' is up to date.

All repositories have been refreshed.

VCenter:~ # zypper se bash

Loading repository data...

Reading installed packages...

S | Name           | Summary                                                           | Type  

--+----------------+-------------------------------------------------------------------+--------

i | bash           | The GNU Bourne-Again Shell                                        | package

  | bash-devel     | Include Files mandatory for Development of bash loadable builtins | package

i | bash-doc       | Documentation how to Use the GNU Bourne-Again Shell               | package

i | bash-lang      | Languages for package bash                                        | package

  | bash-loadables | Loadable bash builtins                                            | package

VCenter:~ # env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

vulnerable

this is a test

Thanks

Well I looked at the SUSE link you posted and SLES 11 SP2 is not mentioned under affected products. Only the patch is released for SP3 in that link. (SUSE Linux Enterprise Server 11 SP3 for VMware)

Regards

Girish

Ye you are right,

what do you think about a

zypper update ?

Update to SP3 ?

Thansk

I would recommend to wait for an official patch from VMware, The other way would be to update to a appliance which already has the SP3 version( that would have undergone some level of QA) and then trying to install this patch via zypper.

Regards

Girish

You are right, an official Update is the best solution but i have this appliance exposed...

What do you think about a iptables solution ?

I'm thinking about a rules to close all input traffic ...

Something like this:

------------------------------------------------------------------

###########

## IPTABLES FIREWALL CONFIGURATION

###########

*filter

##ALLOW loopback interface

-A INPUT -i lo -j ACCEPT

##ALLOW connections that originate from this server

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

##Block

-A INPUT -s 61.225.15.0/24 -j DROP

-A INPUT -s 118.167.0.0/16 -j DROP

-A INPUT -s 114.45.0.0/16 -j DROP

-A INPUT -s 121.96.0.0/18 -j DROP

##ALLOW ONLY 192.168.0.0 network to the following ports

-A INPUT -s 192.168.0.0/255.255.0.0 -p tcp --dport 22 -j ACCEPT

##ALLOW ANY to the following ports

#-A INPUT -p tcp --dport 22 -j ACCEPT

-A INPUT -p tcp --dport 25 -j ACCEPT

-A INPUT -p tcp --dport 80 -j ACCEPT

-A INPUT -p tcp --dport 443 -j ACCEPT

##ALLOW specific to the following ports

#-A INPUT -s 192.168.5.1 -p tcp --dport 995 -j ACCEPT

-A INPUT -s 192.168.5.1 -p tcp --dport 993 -j ACCEPT

-A INPUT -s 192.168.5.1 -p tcp --dport 3306 -j ACCEPT

##ALLOW icmp

-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT

##LOGGING

#-A INPUT -j LOG --log-tcp-options --log-ip-options

##DEFAULT set DROP as default rule for each chain

-P INPUT DROP

-P FORWARD DROP

-P OUTPUT DROP

COMMIT

-----------------------------------------------------------------------------------------------------------------

I wonder if this stops any functionality of the vc. Not sure if its an effective stop gap for the duration that VMware releases a patch. I will let the other experts on the forum comment :smileyhappy:

Regards

Girish

Official bash fix is out from vmware , please check the same  and update your VC Appliance to relevant version.

http://www.vmware.com/security/advisories/VMSA-2014-0010.html

Please refer :http://vthinkbeyondvm.com/vmware-released-bash-code-injection-vulnerability-express-patches-for-vcenter-server-virtual-a…