According to VMware investigating bash command injection vulnerability aka Shell Shock (CVE-2014-6271, CVE-2014-7..., VMware is investigating the impacts of the Bash security vulnerability on VMware products.
What do you think about the possible impact on ESXi hosts? Vulnerable to remote code execution or not?
ESX server is running busybox and is almost certainly not affected.
Neither is vCenter I guess.
But all appliances must be affected, and I guess vCNS, but attack vector should be a mitigating factor as most services will not be externally available.
Bump. Need a response pretty quick.
I ran the quick-test below on ESXi 5.1 and 5.5, and it didn't work. I hope that means we're safe.
env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
ESX server is running busybox and is almost certainly not affected.
Neither is vCenter I guess.
But all appliances must be affected, and I guess vCNS, but attack vector should be a mitigating factor as most services will not be externally available.
vCloud Usage Meter 3.3 IS AFFECTED.
That's the only VMware related appliance I've found affected.
For now you can just assume that all SUSE based appliances are affected...
A KB is now available @
Regards
Girish
Hi, adding to the best answer have to say that, although ESXi busybox is not directly affected, vCenter Server Appliance is, as almost every Virtual Appliance for vSphere and vCloud that operates over GNU/Linux. Management Lock down should be the rule right now, specially if this post is true (as a infrastructure specialist, can't read C). Troy Hunt: Everything you need to know about the Shellshock Bash bug
Best Regards.
MR.
Does anybody know if the vShield Manager 5.1.4.1912202 is affected by shellshock? Thanks!!
It's a bit early to tell, not sure if it is running bash at all?
Your vShield Manager should have limited exposure, so that is a limiting factor.
I would be more concerned about vShield EDGE as that has a potentially larger attack surface.
It seems like VMware is doing the proper thing and disabling parsing in bash altogether.
Probably requires a lot more QA testing, but mitigates future parser bugs that are most likely coming.
http://www.openwall.com/lists/oss-security/2014/09/29/43
- Anders
Does anybody know if the vShield Manager 5.1.4.1912202 is affected by shellshock? Thanks!!
While not mentioning vShield Manager in particular, the KB article lists "vCloud Networking and Security 5.x (aka VMware Shield 5.x)" which the vShield Manager virtual appliance is a part of.
Since the vShield Manager virtual appliance runs a full GNU/Linux OS underneath, I'm 99% certain it has a bash and is thus affected as well, like all the other virtual appliances. In fact, I'm not aware of any VMware virtual appliance that don't have a bash shell (feel free to correct me if I'm wrong).
It seems like VMware is doing the proper thing and disabling parsing in bash altogether.
Probably requires a lot more QA testing, but mitigates future parser bugs that are most likely coming.
That's quite interesting.
This raises the general issue of virtual appliances and patching once again. The GNU/Linux OS running in pretty much all appliances is just a customized version of another popular distribution (majorly SuSe in VMware's VAs), so in theory you could just update with the distributions default packages instead of having to wait for vendors to publish it's "certified" updates.
I completely agree that QA is important and it can be problematic for certain packages like java, webserver or database software and depending libraries. But updates to more "generic" applications like bash or openssl (heartbleed), which only fix a very certain code area, shouldn't cause any issues in the applications.
Given the severity of bugs like Shellshock and Heartbleed, there might be limited patience in some environments with waiting for vendors re-packing fixes that are released since some time.
That "updating" a virtual appliance sometimes means "deploy a new VA from scratch and migrate data" doesn't help in that regard either.
Thanks for the replies, MKguy and Basefarm.
VMware now has released a security advisory on the same:
This has a more comprehensive list of products affected and whether a patch will be made available.
VMSA-2014-0010 | United States
Regards
Girish