KbA0013: CopperCube Bash/Shellshock Vulnerability

Description

Is the Coppercube vulnerable to the GNU Bash environment bug (a.k.a. ShellShock, Bash Bug)?

What is ShellShock?

A problem with one of the Linux command-line processors is (the ‘bash’ shell) – which allows remote attackers to execute arbitrary code via a crafted environment.

A number of vulnerability advisories have been assigned by NIST relating to this issue. See: CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

CVE-2014-6271: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock."

CVE-2014-6271: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code…

Et.al.

Is the Coppercube affected?

Yes. The Coppercube uses a version of Linux (Ubuntu 12.04) that uses the vulnerable version of the Bash shell.

What can be done about it?

The problem can be corrected by updating the Coppercube to use a fixed bash version; specifically, bash 4.2-2ubuntu2.2 This requires the assistance of CopperTree Customer Solutions and remote access to the Coppercube. The next release of the Coppercube (1.11) will include this fixed ‘bash’ version.

What if I choose not to update?

If your Coppercube is not accessible from the Internet, then you have little to worry about. The documented attack vectors involve either:

  • a web server calling the shell using the Apache mod_cgi (which the Coppercube does not use);
  • a web server calling the shell with user-supplied commands (which the Coppercube does not support);
  • direct access to the bash shell meaning the attacker already has login permissions; or
  • via compromised network services (i.e. DHCP) meaning your network is already at far greater risk.

If your Coppercube is exposed to the Internet then it is possible (however unlikely) that it could be compromised, and so we recommend having it updated.