Bash CVE-2014-6217 and CVE-2014-7169

CVE-2014-6217 is a critical vulnerability in all versions of GNU Bash, the Bourne Again Shell.This vulnerability allows an attacker to execute arbitrary shell commands any time a Bash shell executes with environmental variables supplied by the attacker. On cPanel & WHM systems, there are numerous entry points where this vulnerability could be exploited. This blog post from Red Hat demonstrates how such attacks are possible: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

CVE-2014-7169 is a second vulnerability in all versions of GNU Bash. This second CVE covers attack vectors that were not fixed in the initial updates for CVE-2014-6217. Targeting CVE-2014-7169 is more complicated for an attacker. The authors of GNU Bash are currently working on updates to address CVE-2014-7169. This article from Red Hat has additional details about this flaw: https://access.redhat.com/articles/1200223

What does this mean for cPanel servers?

cPanel & WHM does not provide any copies of the Bash shell. The Red Hat, CentOS and CloudLinux operating systems that cPanel & WHM is installed on provide the Bash shell as their default /bin/sh interpreter. All three distros have published patched versions of the Bash shell to their mirrors to address CVE-2014-6217. To update any affected servers, run “yum clean all” to clear YUM’s local caches followed by “yum update” to install the patched version of Bash. After Bash is updated you should reboot the system.

You can ensure you are updated by running the command “rpm -q bash”. The package information displayed should match the version numbers provided by Red Hat at https://access.redhat.com/solutions/1207723

Red Hat Enterprise Linux 7 – bash-4.2.45-5.el7_0.2
Red Hat Enterprise Linux 6 – bash-4.1.2-15.el6_5.1
Red Hat Enterprise Linux 5 – bash-3.2-33.el5.1

RedHat, CentOS and CloudLinux are expected to release additional updates to address CVE-2014-7169. Once these updates are released, you should repeat the update process for the new version of Bash.

Notifications about security updates for Red Hat, CentOS, and CloudLinux can be found at the following URLs:

Red Hat http://www.redhat.com/mailman/listinfo/rhsa-announce
CentOS http://lists.centos.org/mailman/listinfo/centos-announce
CloudLinux http://cloudlinux.com/blog/

What steps do I need to take as an Admin/root of our servers running cPanel & WHM?

Once the RPM of Bash has been updated and the system rebooted, you are fully protected.

cPanel also recommends that you configure the system to automatically update both the base operating system and the cPanel & WHM software automatically. These settings are located in WHM’s “Update Preferences” interface.