Bash/SSH Shellshock Vulnerability Report (CVE-2014-6271)

Posted on
Sat Sep 27, 2014 10:32 am
matt (support) offline
Site Admin
User avatar
Posts: 21411
Joined: Jan 27, 2003
Location: Texas

Bash/SSH Shellshock Vulnerability Report (CVE-2014-6271)

Three days ago security researches reported details on a recently discovered Bash/SSH/DHCP vulnerability named Shellshock (technically known as CVE-2014-6271 and CVE-2014-7169).

We take security very seriously, so the morning of the reported vulnerability we immediately audited and patched all of our backend servers (IndigoDomo.com, reflector server, and internal servers). We also did an extensive review of the Indigo software itself and based on our findings detailed below it is not directly effected by the bug.

The vulnerability is exploitable from applications that execute Bash shells. While Indigo has a built-in Web server, its Web server does not use CGI scripts and therefore does not pass any HTTP request information to Bash. When launching Indigo's interactive scripting shell (Plugins->Open Scripting Shell menu item) the Indigo client does launch a Bash shell script, however no variables are passed to that script and therefore it is not vulnerable.

Indigo does provide the ability for users to create actions that execute shell scripts, however none are defined by default and the user has control (and responsibility) over specifying what scripts are executed.

Indigo provides an extensive plugin architecture and there are over 100 plugins currently available. Although we do not know of any vulnerabilities in these 3rd party plugins and we think it is unlikely that they are exploitable, it is not possible that we audit them individually. In particular plugins that provide their own internal servers/APIs should be inspected by their developers (or others) to make sure they are not passing any unfiltered HTTP request data to Bash scripts.

Indigo does use SSH for part of its optional secure reflector tunneling, however it has been audited and is not vulnerable.

We believe we have some users that are running the Apache Web server in combination with Indigo's built-in Web server. The Apache Web server is included with Mac OS but is not enabled by default. Users that have enabled Apache should should make sure they do not have mod_cgi or mod_cgid enabled and/or have manually patched the Bash executable on their installs.

Apple has not yet released a Mac OS update to patch the Bash executable included as part of the OS, but we expect one to be available soon. We encourage all Mac OS users to promptly apply the update once it is available.

Image

Page 1 of 1

Who is online

Users browsing this forum: No registered users and 4 guests