[Xymon] 'Shell shock' mitigation

me at tdiehl.org me at tdiehl.org
Mon Sep 29 15:18:13 CEST 2014


On Fri, 26 Sep 2014, J.C. Cleaver wrote:

> On Fri, September 26, 2014 1:14 pm, me at tdiehl.org wrote:
>> Hi Henrik,
>>
>> On Fri, 26 Sep 2014, Henrik Størner wrote:
>>
>>>> The xymon CGI interface runs via shell wrappers around the actual C cgi
>>>> code (to set the environment properly), which means this would be an
>>>> avenue for attack.
>>> Indeed, this one is nasty. Fortunately, most Linux systems I know of
>>> have /bin/sh linked to /bin/dash and hence are not vulnerable.
>>>
>>> In light of this, I think it is about time we retire the shell-script
>>> wrappers from Xymon. I have written a replacement which is now checked
>>> into the 4.3.18 branch.
>>>
>>> There is a preliminary release of 4.3.18 available on
>>> https://www.xymon.com/patches/ - feel free to try it out. I will release
>>> 4.3.18 over the weekend unless I find some problems with it.
>>>
>>> NOTE: Replacing the shell script wrappers means that the cgioptions.cfg
>>> file is no longer processed as a shell script. The new wrapper works
>>> fine with the default version of cgioptions.cfg, but it you have
>>> modified it in a way that it relies on being processed by a shell, then
>>> it will break.
>>
>>
>> I just upgraded bash to the latest from RH/Centos and I can report that it
>> breaks the data from machines using bbwin. They all went purple. To be
>> sure
>> my hunch was correct, I downgraded bash to bash-4.1.2-15.el6_5.1.x86_64
>> and
>> the purple went away.
>>
>> Is it expected that the fix you reference above will work with bbwin? I
>> have
>> not modified cgioptions.cfg.
>>
>
>
> That's very strange. Was there anything at all in the logs anywhere when
> that was happening? Does BBWin use anything special to communicate in to
> Xymon or is it simply submitting on port 1984 like normal?
>
>
>>
>> I need to wait until the terabithia rpms are updated to upgrade xymon.
>>
>> Regards,
>>
>
>
> I've posted a set of 4.3.18-0.0.7471.1 RPMs at
> http://terabithia.org/rpms/xymon/testing/ if you're curious to take a
> look, but I'm still testing myself and would use caution.
>
>
> One note: The apache config file needs to be updated to allow
> FollowSymLinks in the /xymon-(sec)cgi/ directory, or all dynamic pages
> will return with a 403 error. The following line on upgrade should fix it:
>
> perl -pe 's/Options ExecCGI Includes/Options ExecCGI FollowSymLinks
> Includes/' -i /etc/httpd/conf.d/xymon.conf && /sbin/service httpd graceful

I did some poking over the weekend and discovered that when I upgraded xymon
a long time ago, I never looked at the associated .rpmnew files. After updating
the various .rpmnew file including xymonserver.cfg and then applying the bash
update all seems to be working normal.

In addition, I found that the default shell used in the xymon scripts is
/bin/dash. So it looks like the bash exploit was never an issue for my systems.

Regards,

-- 
Tom			me at tdiehl.org		Spamtrap address	 		me123 at tdiehl.org


More information about the Xymon mailing list