Categories
Asterisk Support Blog Elastix Support Knowledge Base Security

Shellshocked by Bash !

Well any one in IT and many people who never have anything todo with dirty working of *nix operating systems including Apples OSX cant have missed the news about the latest venerability. This is hot on the heels of teh OpenSSl one and the NTP one before that.

All these have different levels of risk, The NTP one was just a pain easily fixed and could cause little damage, The Openssl one was more of a risk as it allowed hackers to read the memory of systems using certain versions of OpenSSL nicknamed Heartbleed. Now the Bash one is fairly simple to exploit and has been now seen in the wild which in the case of Heartbleed it wasn’t really exploited in the wild.

So how do you test. simple , just type

env x='() { :;}; echo vulnerable’ bash -c “test”

and if it comes back saying Vulnerable update bash.

Great easy you say, well it was spent half a day checking 40 odd servers and updating bash. But then the update they rolled out want enough so today went back round updating again.

It has to be noted that some repositories were running slow and in teh case of one (SCHMOOZE) they hadn’t got the latest patch live by mid day.

It was pleasing how most suppliers were open and concise on what to check and how to fix. I was rather disappointed with  another Asterisk Based PBX distro who instead of publishing how to check and what to do, told users to download a script and run that, I don’t think its a good idea to hide security measures, If people deploy systems they need to know how to secure them.

I wonder whats next? , After spending 2 days on this now looking at setting up a Puppet server, This has cost me a day of my time and i’m meant to be installing a queuemetrics call center for a customer…