Xinuos addresses the “Shellshock” software security bug questions
September 29, 2014
Xinuos would like to inform its customers that it has been working on the “Shellshock” software security bug since its discovery on September 24, 2014. As of September 29, 2014, the entire UNIX community is still working on a definitive solution.
However, the level of severity is lower on UnixWare and OpenServer systems than some other operating systems as Xinuos does not make use of BASH for system utilities; BASH is available on UnixWare and OpenServer for the customers’ optional use.
In the meantime, customers are advised on the following:
- Who can exploit this vulnerability?
Someone who already has attained login access to the operating system on which bash is installed.
- What can they do?
A malicious user can gain unauthorized root privilege and have access to every file on a system, to read it or to modify or remove it.
- Why is this "worse than Heartbleed" ( http://en.wikipedia.org/wiki/Heartbleed )?
Shellshock is more prevalent since it has been in BASH since its inception. However, it may be considered as less dangerous since it cannot be used easily to gain access to a system where a user does not already have access, unlike Heartbleed. However, In some cases certain cgi scripts running on bash may be vulnerable to attack.
- Is Xinuos going to provide a patch?
Xinuos is working on a definitive patch for all the major releases although timing is yet to be determined. It will be released to UnixWare customers first, then to customers using OpenServer 6 and finally to customers using OpenServer 5.
- What can I do to protect my system until a fixed bash is available from Xinuos?
- If you do not depend on BASH for your operations: remove it from your system.
- If you depend on BASH for your operations: immediately restrict its use to root users only (and ensure that other users do not have root privileges in SCOAdmin) with the following change owner and change access permissions commands:
chown root:sys bash
chmod 700 bash.
Rewrite any cgi scripts running on bash to use /bin/sh or /bin/ksh.
San Mateo, CA 94403