UPDATE: Xinuos addresses the “Shellshock” software security bug question and release a fix for UnixWare operating systems; OpenServer expected shortly.

October 1, 2014

Xinuos would like to inform its customers that it has been working on the “Shellshock” software security bug since its discovery on September 24, 2014. Xinuos released a patch - bash-4.3.27 - for UnixWare 7.1.4 and 7.1.4+, which is available for download immediately; a patch for OpenServer operating systems is expected shortly.

For information, the level of severity is lower on UnixWare and OpenServer systems than some other operating systems as Xinuos does not make use of BASH for system utilities; BASH is available on UnixWare and OpenServer for the customers’ optional use.

In the meantime, customers are advised on the following:

  1. Who can exploit this vulnerability?
    Someone who already has attained login access to the operating system on which bash is installed.
  2. What can they do?
    A malicious user can gain unauthorized root privilege and have access to every file on a system, to read it or to modify or remove it.
  3. Why is this "worse than Heartbleed"?
    Shellshock is more prevalent since it has been in BASH since its inception. However, it may be considered as less dangerous since it cannot be used easily to gain access to a system where a user does not already have access, unlike Heartbleed. However, in some cases certain cgi scripts running on bash may be vulnerable to attack.
  4. What can I do to protect my system until a fixed bash is available from Xinuos?
    • If you are on UnixWare, please install the patch with the instructions below.
    • If you are on OpenServer and you do not depend on BASH for your operations: remove it from your system.
    • If you are on OpenServer and you depend on BASH for your operations: immediately restrict its use to root users only (and ensure that other users do not have root privileges in SCOAdmin) with the following change owner and change access permissions commands:
      chown root:sys bash
      chmod 700 bash.
      Rewrite any cgi scripts running on bash to use /bin/sh or /bin/ksh.
INSTRUCTIONS FOR INSTALLING BASH-4.3.27 ON UNIXWARE (NOT OPENSERVER)

This patch provides the fixes for the securities issues defined as CVE-2014-6271, CVE-2014-7169, CVE-2014-6277 and CVE-2014-7187. If you have any questions regarding this patch, or the product on which it is installed, please contact your software supplier.

  1. Download the bash-4.3.27.image file to the /tmp directory on your system.
  2. As root, add the package to your system using these commands:
    $ su -
    Password: type your root password
    # pkgadd -d /tmp/bash-4.3.27.image

     

    $ su -
    Password: type your root password
    # pkgadd -qd /tmp/bash-4.3.27.image all

  3. There is no need to reboot the system after installing this package.

Media Contact

Rosie Hausler
Phone
Email
+1 (425) 301-6740
This email address is being protected from spambots. You need JavaScript enabled to view it.
 
 
Xinuos Inc.
1900 South Norfolk Street
Suite 350
San Mateo, CA 94403
USA
 
 
Phone
Email
Internet
+1 (800) 301-6740
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.xinuos.com