[Xymon] 'Shell shock' mitigation
J.C. Cleaver
cleaver at terabithia.org
Sat Sep 27 02:55:05 CEST 2014
On Fri, September 26, 2014 1:14 pm, me at tdiehl.org wrote:
> Hi Henrik,
>
> On Fri, 26 Sep 2014, Henrik Størner wrote:
>
>>> The xymon CGI interface runs via shell wrappers around the actual C cgi
>>> code (to set the environment properly), which means this would be an
>>> avenue for attack.
>> Indeed, this one is nasty. Fortunately, most Linux systems I know of
>> have /bin/sh linked to /bin/dash and hence are not vulnerable.
>>
>> In light of this, I think it is about time we retire the shell-script
>> wrappers from Xymon. I have written a replacement which is now checked
>> into the 4.3.18 branch.
>>
>> There is a preliminary release of 4.3.18 available on
>> https://www.xymon.com/patches/ - feel free to try it out. I will release
>> 4.3.18 over the weekend unless I find some problems with it.
>>
>> NOTE: Replacing the shell script wrappers means that the cgioptions.cfg
>> file is no longer processed as a shell script. The new wrapper works
>> fine with the default version of cgioptions.cfg, but it you have
>> modified it in a way that it relies on being processed by a shell, then
>> it will break.
>
>
> I just upgraded bash to the latest from RH/Centos and I can report that it
> breaks the data from machines using bbwin. They all went purple. To be
> sure
> my hunch was correct, I downgraded bash to bash-4.1.2-15.el6_5.1.x86_64
> and
> the purple went away.
>
> Is it expected that the fix you reference above will work with bbwin? I
> have
> not modified cgioptions.cfg.
>
That's very strange. Was there anything at all in the logs anywhere when
that was happening? Does BBWin use anything special to communicate in to
Xymon or is it simply submitting on port 1984 like normal?
>
> I need to wait until the terabithia rpms are updated to upgrade xymon.
>
> Regards,
>
I've posted a set of 4.3.18-0.0.7471.1 RPMs at
http://terabithia.org/rpms/xymon/testing/ if you're curious to take a
look, but I'm still testing myself and would use caution.
One note: The apache config file needs to be updated to allow
FollowSymLinks in the /xymon-(sec)cgi/ directory, or all dynamic pages
will return with a 403 error. The following line on upgrade should fix it:
perl -pe 's/Options ExecCGI Includes/Options ExecCGI FollowSymLinks
Includes/' -i /etc/httpd/conf.d/xymon.conf && /sbin/service httpd graceful
Regards,
-jc
More information about the Xymon
mailing list