Xymon Mailing List Archive search

'Shell shock' mitigation

list Tom Diehl
Mon, 29 Sep 2014 09:18:13 -0400 (EDT)
Message-Id: <user-589be300a534@xymon.invalid>

On Fri, 26 Sep 2014, J.C. Cleaver wrote:

On Fri, September 26, 2014 1:14 pm, user-dcee455aaab0@xymon.invalid wrote:
Hi Henrik,

On Fri, 26 Sep 2014, Henrik Størner wrote:

The xymon CGI interface runs via shell wrappers around the actual C cgi
code (to set the environment properly), which means this would be an
avenue for attack.
Indeed, this one is nasty. Fortunately, most Linux systems I know of
have /bin/sh linked to /bin/dash and hence are not vulnerable.

In light of this, I think it is about time we retire the shell-script
wrappers from Xymon. I have written a replacement which is now checked
into the 4.3.18 branch.

There is a preliminary release of 4.3.18 available on
https://www.xymon.com/patches/ - feel free to try it out. I will release
4.3.18 over the weekend unless I find some problems with it.

NOTE: Replacing the shell script wrappers means that the cgioptions.cfg
file is no longer processed as a shell script. The new wrapper works
fine with the default version of cgioptions.cfg, but it you have
modified it in a way that it relies on being processed by a shell, then
it will break.

I just upgraded bash to the latest from RH/Centos and I can report that it
breaks the data from machines using bbwin. They all went purple. To be
sure
my hunch was correct, I downgraded bash to bash-4.1.2-15.el6_5.1.x86_64
and
the purple went away.

Is it expected that the fix you reference above will work with bbwin? I
have
not modified cgioptions.cfg.

That's very strange. Was there anything at all in the logs anywhere when
that was happening? Does BBWin use anything special to communicate in to
Xymon or is it simply submitting on port 1984 like normal?


I need to wait until the terabithia rpms are updated to upgrade xymon.

Regards,

I've posted a set of 4.3.18-0.0.7471.1 RPMs at
http://terabithia.org/rpms/xymon/testing/ if you're curious to take a
look, but I'm still testing myself and would use caution.


One note: The apache config file needs to be updated to allow
FollowSymLinks in the /xymon-(sec)cgi/ directory, or all dynamic pages
will return with a 403 error. The following line on upgrade should fix it:

perl -pe 's/Options ExecCGI Includes/Options ExecCGI FollowSymLinks
Includes/' -i /etc/httpd/conf.d/xymon.conf && /sbin/service httpd graceful
I did some poking over the weekend and discovered that when I upgraded xymon
a long time ago, I never looked at the associated .rpmnew files. After updating
the various .rpmnew file including xymonserver.cfg and then applying the bash
update all seems to be working normal.

In addition, I found that the default shell used in the xymon scripts is
/bin/dash. So it looks like the bash exploit was never an issue for my systems.

Regards,

-- 
Tom			user-dcee455aaab0@xymon.invalid		Spamtrap address	 		user-4d123f9c385b@xymon.invalid