DNA Evolution Bash Vulnerability Fix Guide 2014 StorageDNA, Inc. All rights reserved. The owner or authorized user of a valid copy of DNA Evolution may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies. StorageDNA, DNA Evolution and DNA Sync are trademarks of StorageDNA, Inc. Third-party trademarks are the property of their respective owners. Page 1 of 7
TABLE OF CONTENTS INTRODUCTION... 3 DIAGNOSTIC STEPS... 3 Updating the Bash Shell [Using CentOS/RedHat Repositories]... 4 Updating the Bash Shell [Offline Mode]... 6 FREQUENTLY ASKED QUESTIONS... 7 REFERENCES... 7 Page 2 of 7
INTRODUCTION Red Hat has recently been made aware of a security vulnerability affecting all versions of the bash package shipped with Red Hat and CentOS products. You may have heard of this security flaw also known as Shellshock. StorageDNA ships its servers pre-loaded with CentOS or Red Hat Linux, and recommends that the patch recently released by Red Hat be installed onto your systems. This patch will address this vulnerability, which could allow remote unauthenticated attackers the ability to run arbitrary code execution. Below are sets of detailed instructions that can help you identify if your system is vulnerable and address the issue by installing the patch. You can also contact StorageDNA by opening a support ticket on our site to assist with the installation: [http://www.storagedna.com/support/submit_request/] DIAGNOSTIC STEPS The first step is to login to your DNA Evolution controller s terminal as the root user. This can be done in multiple ways such as using terminal from MacOSX system, putty from Windows, or by logging into the Desktop via KVM and using Open Terminal in the right-click menu. Once you have logged into the DNA Evolution controller you can optionally test your version of Bash by running the following command to confirm if it is patched against the Shellshock vulnerability. If you would just like to update your system with the patch you can skip to the Updating the Bash Shell section. # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test" If the output of the above command contains a line containing only the word vulnerable you are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Note that different Bash versions will also print different warnings while executing the above command. The Bash versions without any fix produce the following output: # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test" vulnerable bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)' bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable' bash: error importing function definition for `BASH_FUNC_x' test Page 3 of 7
The fix also ensures that the system is protected from the attacker being able to create a file and execute the contents. To test if your version of Bash is vulnerable to CVE-2014-7169 issue, run the following command: # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo bash: x: line 1: syntax error near unexpected token `=' bash: x: line 1: `' bash: error importing function definition for `x' Fri Sep 26 11:49:58 GMT 2014 If your system is vulnerable, the time and date information will be output on the screen and a file called /tmp/echo will be created. If your system is not vulnerable, you will see output similar to: # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo date cat: /tmp/echo: No such file or directory UPDATING THE BASH SHELL [USING CENTOS/REDHAT REPOSITORIES] If your system is vulnerable, you can fix these issues by updating to the most recent version of the Bash package by running the following command below. NOTE: DO NOT run a full update of the system using the command `yum update` without specifying the bash package as stated below. The DNA Evolution software relies on specific versions of libraries and packages to function properly, and your hardware drivers are built to run on a specific kernel release as well. If you have questions regarding the update or have specific requirements, please contact StorageDNA support. # yum update bash Running the command above will download the latest Bash shell package from the CentOS or Red Hat repositories based on your installed distribution. This does require that your server be connected on the LAN so that it can reach the public Internet, or if you are using the DNA Evolution Virtual Controller (VC) within VirtualBox/VMWare you will need to ensure that you are using the Bridged Adapter on your Mac to give the virtual controller access to the LAN. If your server is not connected to the Internet, running the above command will produce output stating that it Couldn t resolve host, meaning that it could not contact the CentOS/Red Hat repositories to download the patch. If you would like to download the latest Bash packages and copy them to the server that may be connected internally, on a closed private network, or when using the Host Only Network with VirtualBox/VMWare you can refer to the section: Updating the Bash Shell [Offline Mode]. Page 4 of 7
Once the yum command completes you can verify that you have the correct version of the bash shell loaded by running the command: # rpm q bash Below is a table outlining the minimum versions of Bash that incorporate the Shellshock fix. You can also optionally, rerun the diagnostic commands and ensure that they give you the desired output. Product/Channel CentOS Enterprise Linux 5 CentOS Enterprise Linux 6 Red Hat Enterprise Linux 6 Fixed in package bash-3.2-33.el5_10.4 bash-4.1.2-15.el6_5.2 bash-4.1.2-15.el6_5.2 bash-4.1.2-15.el6_4.2 Red Hat Enterprise Linux 5 bash-3.2-33.el5_11.4 bash-3.2-24.el5_6.2 bash-3.2-32.el5_9.3 Page 5 of 7
UPDATING THE BASH SHELL [OFFLINE MODE] If you were unable to update the bash shell using the yum updater, you can download the bash shell rpm packages manually, copy them to the server, and install them. First determine the Linux distribution that you are running by using the command: # cat /etc/redhat-release The output of the command will be one of the following: Linux Distribution CentOS Enterprise Linux 5 CentOS Enterprise Linux 6 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Output CentOS release 5.XX (Final) CentOS release 6.XX (Final) Red Hat Enterprise Linux Server release 5.X (Tikanga) Red Hat Enterprise Linux Server release 6.X (Santiago) You can download the bash packages from the following sites: Linux Distribution CentOS Enterprise Linux 5 CentOS Enterprise Linux 6 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Download Link http://mirror.centos.org/centos/5/updates/x86_64/rpms/bash-3.2-33.el5_10.4.x86_64.rpm http://mirror.centos.org/centos/6/updates/x86_64/packages/bash-4.1.2-15.el6_5.2.x86_64.rpm Login to Red Hat Customer Portal Login to Red Hat Customer Portal Now copy the RPM file to the server and run the following command, replace the filename with the one downloaded for your distribution. # yum localinstall bash-4.1.2-15.el6_5.2.x86_64.rpm Page 6 of 7
FREQUENTLY ASKED QUESTIONS Do I need to reboot or restart services after installing this update? No, a reboot of your system or any of your services is not required. This vulnerability is in the initial import of the process environment from the kernel. This only happens when Bash is started. After the update that fixes this issue is installed, such new processes will use the new code, and will not be vulnerable. Conversely, old processes will not be started again, so the vulnerability does not materialize. If you have a strong reason to suspect that a system was compromised by this vulnerability then a system reboot should be performed after the update is installed as a best security practice and security checks should be analyzed for suspicious activity. https://access.redhat.com/articles/1200223 REFERENCES Page 7 of 7