Having recovered from the recent Heartbleed vulnerabilities we now have another headline grabbing vulnerability to keep us all busy.
First let me say that our product should be perfectly safe and secure unless you’ve already shared your passwords or forgotten to run “lbsecure”. You would actually need to allow someone access to SSH or the WebUI in order for them to interact with bash.
To explain why this issue is serious(although not for us) let me tell you what can be exploited. The issue itself is that bash uses environment variables which can be edited in such a way that they could be used to run commands the next time that bash is called. So how could this happen? Well it could be that someone tricks you into changing a variable, it could be you gave someone access to SSH who shouldn’t or even that you allowed someone access to the WebUI itself. Obviously the key here is that some kind of access was required or at the very least you followed advice without knowing what you were really doing.
Personally this issue is like a lot of vulnerabilities, it requires that an attacker has some access to the system before any harm can be done.
For those of you still concerned it’s easy enough to update as we use a highly customised version of CentOS 6 and we always allow customers full root access to their appliance.
Running the following command will update bash on your appliance :
yum update bash
We will also be including the updated bash in our next release(V7.6.3) so alternatively wait.
For those running our EC2 appliance this has already been updated, however, if running an older revision(before 1.7.1) the above should still apply.
You Can Learn More About the LoadBalancer.org’s Product Line By Going to www.LoadBalancerSolutions.com/LoadBalancer-org
The original article/video can be found at Shell-shocked by shell shock? Bash vulnerability explained.