[OpenSIPS-Users] [IMPORTANT] Shellshock bash vulnerability and OpenSIPS

Liviu Chircu liviu at opensips.org
Wed Oct 1 20:56:23 CEST 2014 

Hello all,

The following email addresses a serious security issue (10/10 note on 
severity) which may/may not affect existing
OpenSIPS-based platforms. [1]

The issue was disclosed in September and is commonly named "Shellshock". 
You can read all about it on Wikipedia [2].
Long story short, it is a GNU Bash vulnerability in the code which 
handles environment variables.

It also seems that under the "right conditions", any version of an 
OpenSIPS server can be vulnerable to this exploit.

The following are the "right conditions":
     * your /bin/sh is vulnerable to Shellshock. You can test this with 
the following command:
         env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'
     * your OpenSIPS uses the "exec" module
     * you have not disabled the "setvars" modparam of exec [3]

If *all* of the above conditions are true, then you are vulnerable to 
some cleverly crafted INVITE requests. An attacker
could remotely execute code with the privileges of your OpenSIPS daemon 
user!

Ways to fix the issue (*any* of them is enough):
     * upgrade your bash shell to a non-vulnerable version
     * if you are not using the environment variables in your exec 
scripts, then skip them:
         modparam("exec", "setvars", 0)

Note on broken backwards-compatibility:
     We have disabled the "setvars" parameter by default in all 
supported OpenSIPS versions. If you were using the
environment variables in your exec scripts, make sure you update your 
OpenSIPS script and bash shell after
performing an upgrade to the daily OpenSIPS builds.

[1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
[2]: http://en.wikipedia.org/wiki/Shellshock_(software_bug)
[3]: http://www.opensips.org/html/docs/modules/1.12.x/exec.html#id248413

Best regards,

-- 
Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20141001/033a8004/attachment.htm>

More information about the Users mailing list