On Wednesday September 24th 2014 a vulnerability was revealed in the Bash shell interpreter which we run just like nearly every linux system online. Due to the news coverage this exploit ( CVE-2014-6271 ) has gotten our loyal customers have been asking if we have patched our systems as well as anything else we may have done. The short answer is we put in steps to mitigate the risk and once patches were available we patched our systems. At this time none of our systems are vulnerable to this exploit. I thought though it would be good to address some questions and give a bit of background information regarding the exploit.
Our team was notified of the exploit soon after it became public as we actively subscribe to numerous security related mailing lists. The vulnerability had several potential entry points such as cPanel’s own internal CGI scripts as well as user based CGI scripts. We immediately set in place mitigation steps to help protect our systems while not compromising the ability to continue to serve web sites.
The patch to address CVE-2014-6271 was released and within 30 minutes our systems were updating to the version of bash now available. It took approximately 30 minutes due to reliability of the local mirrors for our systems. Upon updating we reloaded all system libraries as well as updating user cages. Our use of CageFS which creates separation of users required that the system copy the new bash binary to each user’s Cage.
Upon updating our systems it was shortly revealed that it did not address all scenarios and the risk of remote code execution still existed. CVE-2014-7169 was used to track this flaw which we immediately followed closely awaiting for a patch to be available. Once this patch was available we once again had all systems updated within 30 minutes.
As of this moment we have taken additional steps by installing Litespeed 4.2.16 on all systems which actively filters the bash shell shock vulnerability. While not necessary it just adds an additional layer of protection to all our systems.
If you’re running a virtual private server with us we did not login to your VPS and patch this vulnerability. If you’re running cPanel on CentOS 5 or CentOS 6 and you have automatic updates turned on you should be updated within the next 24 hours. If you do not you will need to manually upgrade yourself. If you have any questions about this we encourage you to contact our support team and they can assist you.
I hope this addresses any questions regarding the shell shock vulnerability and how it affected Hawk Host as well as you. If you have any questions of course contact our support team.