[OpenSIPS-Users] [IMPORTANT] Shellshock bash vulnerability and OpenSIPS

Jens Sauer sauer.jens at yahoo.de
Wed Oct 1 21:49:18 CEST 2014 

Hello Chircu,

thanks for the information.

regards

Jens Sauer



Liviu Chircu <liviu at opensips.org> schrieb am 20:56 Mittwoch, 1.Oktober 2014:
 


Hello all,

The following email addresses a serious security issue (10/10 note
      on severity) which may/may not affect existing
OpenSIPS-based platforms. [1]

The issue was disclosed in September and is commonly named
      "Shellshock". You can read all about it on Wikipedia [2].
Long story short, it is a GNU Bash vulnerability in the code which
      handles environment variables.

It also seems that under the "right conditions", any version of an
      OpenSIPS server can be vulnerable to this exploit.

The following are the "right conditions":
    * your /bin/sh is vulnerable to Shellshock. You can test this
      with the following command:
        env x='() { :;}; echo vulnerable' bash -c 'echo this is a
      test'
    * your OpenSIPS uses the "exec" module
    * you have not disabled the "setvars" modparam of exec [3]

If all of the above conditions are true, then you are vulnerable to some cleverly crafted INVITE requests. An attacker
could remotely execute code with the privileges of your OpenSIPS
      daemon user!

Ways to fix the issue (any of them is enough):
    * upgrade your bash shell to a non-vulnerable version
    * if you are not using the environment variables in your exec
      scripts, then skip them:
        modparam("exec", "setvars", 0)

Note on broken backwards-compatibility:
    We have disabled the "setvars" parameter by default in all
      supported OpenSIPS versions. If you were using the
environment variables in your exec scripts, make sure you update
      your OpenSIPS script and bash shell after
performing an upgrade to the daily OpenSIPS builds.

[1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
[2]: http://en.wikipedia.org/wiki/Shellshock_(software_bug)
[3]: http://www.opensips.org/html/docs/modules/1.12.x/exec.html#id248413

Best regards,
 
-- 
Liviu Chircu
OpenSIPS Developer http://www.opensips-solutions.com
_______________________________________________
Users mailing list
Users at lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20141001/05b9fd36/attachment-0001.htm>

More information about the Users mailing list