Shellshock Worm

[619Tech]

Got a Teleworker customer inquiry asking about Mitel Standard Linux's vulnerability to this worm? Anybody know anything?

[v2win]

I haven't had time to test a MAS server yet but you can test it yourself.

Log into the server ant type

 env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"

If it returns "busted stuff" its vulnerable.

[bones]

Can someone with MOL grab an official statement from Mitel concerning the vulnerability?  Otherwise, how do I drop to the shell on a MAS/MBG to test?

Thanks

[lundah]

I think the official word from Mitel so far is "we're still testing".

[v2win]

Use putty and log in with the root account its the same password as your admin account.

I just tested on my MAS 5.0.216 and it failed the test

[root@awc ~]# env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
busted
stuff

[bones]

Thank you both for your help.  It appears I am affected as well.

[ralph]

What ports in the firewalls need to be blocked? 
Does Bash use 80, 443, 23, 21?

Ralph

[619Tech]

Here is the Mitel reply to my ticket:

"We do have this vulnerability. But this isn't exploitable remotely. By default, MSL turn off the SSH connection to public network (and we also suggest that).
You could double check on your system, in Server-manager--Security--Remote access--secure shell setting, make sure we are not allowing public access. If so, we don't need worry about this by now.

Our design is also working on this to get it patched in next version."

[v2win]

Here is the Mitel reply to my ticket:

"We do have this vulnerability. But this isn't exploitable remotely. By default, MSL turn off the SSH connection to public network (and we also suggest that).
You could double check on your system, in Server-manager--Security--Remote access--secure shell setting, make sure we are not allowing public access. If so, we don't need worry about this by now.

Our design is also working on this to get it patched in next version."

Ralph it could use any port for remote code execution thats why this is going to be so ugly.  Here are two writeups that are pretty good at explaining the whats and why.

http://mashable.com/2014/09/26/what-is-shellshock/

http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

[johnp]

I suppose you could get the patched bash rpm from any centos repo and rpm -Uhv it.

[ralph]

Has anyone seen a Mitel released bulletin on ShellShock yet?

Ralph

[ralph]

Found it.
It's on MOL.

Mol/support/shell-shocked security advisory

The flaw involves improper processing of environment variables. In certain configurations, the ShellShock vulnerability may allow an unauthenticated remote attacker to execute malicious code on a targeted system.  Of particular concern are services that receive a request via HTTP and use BASH to execute commands on the server.  In some configurations, this vulnerability could be used to install malware on a server.  Independent reports indicate that vulnerable systems are being targeted and compromised to be used in botnets.
 

I think this means we will have to block external access to systems via firewalls.   That means any remote login such as UCA/YA/AWC etc.
Does anyone else view it that way?


Ralph

[ralph]

Here's an online testing tool.
http://shellshock.brandonpotter.com/

Ralph

[619Tech]

#2014-1004-04
 Remote Code Execution Vulnerability in BASH Interpreter
 Oct 1, 2014
 
Background
 The ShellShock bug is a group of serious vulnerabilities in the popular BASH shell interpreter. It is also widespread, existing in most Linux-based products. Since the initial vulnerability was first announced and patched, new aspects of the vulnerability have been discovered. These are being tracked as CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278.

 The flaw involves improper processing of environment variables. In certain configurations, the ShellShock vulnerability may allow an unauthenticated remote attacker to execute malicious code on a targeted system. Of particular concern are services that receive a request via HTTP and use BASH to execute commands on the server. In some configurations, this vulnerability could be used to install malware on a server. Independent reports indicate that vulnerable systems are being targeted and compromised to be used in botnets.

 Summary
 Mitel is monitoring this dynamic situation very carefully. We are conducting a thorough investigation of its entire portfolio to ascertain which of our products may be susceptible. This security advisory will be updated as new information emerges and as our investigation progresses.

 The following products that may be vulnerable
 Customers are advised to contact Mitel or Aastra support.
 
Mitel MiVoice Border Gateway
 Mitel MiVoice Office (Mitel 5000)
 Mitel Oria
 Aastra MX-ONE Telephony System
 Aastra MX-ONE Telephony Server
 Aastra 5000 Call Manager
 Aastra 5000 Compact
 Aastra 5000 Gateway
 Aastra 700
 Aastra AM7450 Management Center

 The following products are not vulnerable
 Mitel 3250
 Mitel ER Advisor
 Mitel MiContact Center Business
 Mitel MiContact Center Enterprise
 Mitel MiContact Center for Microsoft Lync
 Mitel MiContact Center Office
 Mitel Virtualization Framework
 Mitel MiVoice Business Dashboard
 Mitel MiVoice Call Accounting
 Mitel MiVoice Communications Director (3300)
 Mitel MiVoice Conference Unit (UC360)
 Mitel MiVoice Digital Phones 8528, 8568
 Mitel MiVoice Enterprise Manager
 Mitel MiVoice for Lync
 Mitel MiVoice HTML Application
 Mitel MiVoice IP Phones 53xx, 5560, 5540, 5505
 Mitel MiVoice Video Unit (UC360)
 Aastra MX-ONE Manager Provisioning
 Aastra MX-ONE Manager Telephony System
 Aastra MX-ONE Manager System Performance
 Aastra MX-ONE Manager Availability
 Aastra 2380ip
 Aastra 400
 Aastra 67XX & 68XX Series SIP Phones
 Aastra 6700i 6800i 9000i Series SIP Phones
 Aastra 74XXip (H323 terminal family)
 Aastra 800 (also A800)
 Aastra Alarmserver
 Aastra BluStar Client
 Aastra BluStar Server
 Aastra Open Interfaces Platform
 Aastra OpenCom 1000 family
 Aastra OpenCom 100
 Aastra OpenCom 130
 Aastra OpenCom 150
 Aastra OpenCom 510
 Aastra OpenCom x320
 Aastra SIP DECT
 Aastra Open Mobility Manager (SIP DECT)
 Aastra OpenMobility (RFP32/35/36/37/42/43)
 Aastra OpenPhone 7x IP
 Aastra TA7102a
 Aastra TA7104a

 The following products are under investigation
 Mitel 5603/5604/5607/5624 Rack Charger (Ascom OEM)
 Mitel 1000
 Mitel 3000 Communications System
 Mitel 5603/5604/5607 Programmer (Ascom OEM)
 Mitel DECT Basestation (Ascom OEM)
 Mitel MiCollab (Audio, Web and Video Conferencing)
 Mitel MiCollab (Speech Auto Attendant)
 Mitel MiCollab (Unified Messaging)
 Mitel MiCollab (Web Portal)
 Mitel MiCollab Client (Desktop)
 Mitel MiCollab Mobile Client (Android)
 Mitel MiCollab Mobile Client (iOS)
 Mitel MiCollab Server
 Mitel MiCollab with Voice (vUCC)
 Mitel MiContact Center Outbound (Noetica)
 MItel MiContact Center Live (LiveOps)
 Mitel MiVoice 5603/5604/5606/5607 IP DECT phones
 Mitel MiVoice 5610 DECT Handset and IP DECT Stand
 Mitel MiVoice 5624 WiFi Phone
 Mitel MiVoice Communications Director (Stratus)
 Mitel MXE Server
 Mitel MiVoice Communications Director (ISS)
 Mitel MiVoice IP DECT Base Station
 Mitel Multi-Instance Communications Director
 Mitel Standard Linux
 Mitel SX-200IP ICP
 Mitel Virtual MiVoice Communications Director
 Mitel WSM, WSM-3 (Ascom OEM)
 Aastra 340w and 342w
 Aastra 5300 series
 Aastra A1023i
 Aastra AMCC (Aastra Mobile Clients & Controller)
 Aastra BluStar 8000i
 Aastra BluStar Web
 Aastra Clearspan (Acme Packet Core SBC)
 Aastra Clearspan (AudioCodes eSBC / Gateway)
 Aastra Clearspan (Broadworks Platform)
 Aastra Clearspan (Edgewater eSBC)
 Aastra Centergy Virtual Contact Center
 Aastra CMG
 Aastra D.N.A. Application Suite
 Aastra DECT handset programming units
 Aastra Dialog 5446ip, 4XXXip (H323 terminal family)
 Aastra DT390, DT690 and CPDM 3 (DECT)
 Aastra DT413, DT423, DT433
 Aastra InAttend
 Aastra IP-DECT for OC1000 family
 Aastra IPBS 433/434/430/440
 Aastra OneBox FaxMail
 Aastra OneBox VoiceMail
 Aastra Open Messaging
 Aastra PointSpan
 Aastra Rack Charger for DT390, 69x, 4x3
 Aastra Redirection and Configuration Service (RCS)
 Aastra RightFax
 Aastra S850i (Revolabs OEM)
 Aastra SIP DECT Lite
 Aastra Solidus eCare 7.0 SP8
 Aastra Solidus eCare 8.2 SP1
 Aastra Telephony Switch (TSW)

[DB32120]

This was fixed in a new patch a few hours ago.

For those with MOL access you can find the latest update here.

http://domino1.mitel.com/ProdSupp/prodsupkb.nsf/ByProduct/611D18460FF313BA85257D65006C6547?opendocument&login

For those that don't, here is the update:

Article ID #
14-1263-00115      Article Type
Technical Bulletin

      
Article Title
#2014-1004-04 - MBG Remediation Plan - Remote Code Execution Vulnerability in BASH Interpreter -       Publish Date
Oct-2-2014
      

Body/Solutions
MBG Servicelink Update for ShellShock Bug

This service link eliminates a publicly-known defect in the BASH interpreter that affects MiVoice Border Gateway (MBG) and can potentially lead to a security vulnerability. This bug is widely known as “Shellshock.”

About the BASH Defect

The ShellShock bug is a group of serious vulnerabilities in the popular BASH shell interpreter. It is also widespread, existing in most Linux-based products. Since the initial vulnerability was first announced and patched, new aspects of the vulnerability have been discovered. This servicelink update eliminates all currently-known vulnerabilities in BASH related to ShellShock. These are being

tracked as:

• CVE-2014-6271,

• CVE-2014-7169,

• CVE-2014-7186,

• CVE-2014-7187,

• CVE-2014-6277, and

• CVE-2014-6278.

The flaw involves improper processing of environment variables. In certain configurations, the ShellShock vulnerability may allow an unauthenticated remote attacker to execute malicious code on a targeted system. Of particular concern are services that receive a request via HTTP and use BASH to execute commands on the server. In some configurations, this vulnerability could be used to install malware on a server. Independent reports indicate that vulnerable systems are being targeted and compromised for use in botnets.

Risk to MiVoice Border Gateway Systems

ShellShock is rated as a serious vulnerability, but the actual risk varies from system to system. In most deployments of the MBG, the risk is relatively small. Two of the most common ways of exploiting the ShellShock vulnerability is through CGI programs on a web server or via a poorly secured SSH server. However, Mitel normally recommends that the SSH server be disabled by default and most MBGs have no CGI scripts. The exceptions to this are MBGs configured to support YA clients or secure call recording. Even in these configurations, these CGI scripts are unlikely to be known to the malicious scanning engines that are the most prevalent threats “in the wild.”

Nonetheless, Mitel strongly recommends that all customers install the servicelink update to correct the defect. Mitel continues to monitor the situation around the ShellShock bug.

Remediation Plan for Stand Alone Mitel Border Gateway Systems


Mitel Border Gateway Version 8.1

An updated version of the Mitel Standard Linux has been released via AMC to allow for systems to pick up the ShellShock fix. For both physical and virtual servers, please open the blades panel in server-manager, select update list and click upgrade beside the 10.1.0.31 service link load.
As with all upgrades, make a backup of the system before proceeding, and another is recommended following the update.

Any new install must be running 10.1.31.0 or AMC may fail to download license keys.

Mitel Border Gateway Version 8.0

An updated version of the Mitel Standard Linux has been released via AMC to allow for systems to pick up the ShellShock fix.
Physical systems may access the blades panel in server-manager, and execute the servicelink upgrade to 10.0.51.0.
It is recommended to then upgrade MBG to the latest 8.0 blade.

Virtual systems must redeploy the MBG ova file, using 8.0.26.0, and restore the database. Then upgrade the servicelink via the blades panel to 10.0.51.0, and then MBG to 8.0.27.0.
Alternatively, if SWA is active, deploying 8.1.13.0, restoring the db and upgrading servicelink to 10.1.31.0 is also an option.

As with all upgrades, make a backup before proceeding, and a second backup following the upgrade is recommended.

Mitel Border Gateway Version 7.1

An updated version of the Mitel Standard Linux has been released via AMC to allow for systems to pick up the ShellShock fix.
For both physical and virtual servers, please open the blades panel in server-manager, select update list and click upgrade beside the 9.4.39.0 service link load.

As with all upgrades, make a backup of the system before proceeding, and another is recommended following the update


Mitel Border Gateway Version 7.0

An updated version of the Mitel Standard Linux has been released via AMC to allow for systems to pick up the ShellShock fix.
For both physical and virtual servers, please open the blades panel in server-manager, select update list and click upgrade beside the 9.3.31.0 service link.

As with all upgrades, make a backup of the system before proceeding, and another is recommended following the update