esud.info – Blog about the travel, information technology, business, and other... About | Contact
26.09.2014

How to fix Shellshock problem on Proxmox 2.x

Exploit (CVE-2014-6271)
To check if your server is vulnerable, run this command:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
When you see
vulnerable
this is a test
then you server is vulnerable.

Exploit (CVE-2014-7169)
Check it with this command:
env X='() { (a)=>\' sh -c "echo date"; cat echo
When in output you see a date (e.g. "Fri Sep 26 14:49:42 CEST 2014") then your server is vulnerable against this issue.

Proxmox 2.1 server is based on Debian Squeeze which is not supported. But to fix CVE-2014-6271 and CVE-2014-7169 security issues you can update bash with following commands:

1. Open /etc/apt/sources.list file

2. Add following lines
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free
3. Run "apt-get update"

4. When you get following error message

W: GPG error: http://http.debian.net squeeze-lts Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553

then you need to execute following two commands:
gpg --keyserver pgpkeys.mit.edu --recv-key 8B48AD6246925553
gpg -a --export 8B48AD6246925553 | apt-key add -
and run "apt-get update" again.

5. Execute "apt-get install bash" to update bash.

It is recommended to reboot the system.
server  proxmox   
Write new comment...

 
 
 
© 2013–2017 esud.info   Powered by Nanoblog