The internet is in a twist. A bug in BASH recently has been published. It’s called ShellShock, like the disorder soldiers suffered from in WW1. This bug has been there for a long time, but nobody knew. Apparently it’s the oldest bug known to date in a module or program. It even has a greater impact than the Heartbleed bug in SSL a couple of months ago. Should you worry for your VMware infrastructure? Yes and no.

BASH Bug

First of all, for all of you who are not very familiar with BASH and what it is; BASH or the Bourne Again SHell was the better shell alternative ever since it was released, way back in the nineties. Up to then the Bourne Shell was the best you could use. BASH introduced a number of userfriendly extensions that soon made it very populair. It is the defacto standard for any Linux distribution. It’s the standard on any Mac OS X system.

What is a Shell, you might ask? It’s the equivalent of the DOS box on any Linux or Unix system. It’s the interface between the user and the system, between the web and the OS running on the box. It sort of glues the webserver to the OS the server runs on. Why is this such a big thing, bigger than Heartbleed? Well, you can imagine not every linux server runs a webserver. But every linux server runs a shell. Almost all Linux servers run BASH as a shell. This bug has been in BASH for more than 20 years. This means that virtually every system ever released that ran any release of the BASH shell, has this bug. Some systems can’t even be updated any more and will remain vulnerable for as long as they remain online.

So, what is the bug? In very very short, BASH allows you to set a variable in a script and call this variable for further use. The bug in this is that an attacker could craft a variable in, for instance, a web script, that executes a command on your linux box doing things you don’t want it to do. BASH will allow this to happen. Is this a real thread? Yes it is. There already is malware out there that uses the Shellshock bug to gain control over your *nix box.

VMware

Should you as a VMware admin care? Well, yes and no.

ESX and ESXi are mostly unaffected by the ShellShock bug. They do not use BASH as a shell but instead use ASH. Thankfully, ASH does not seem to have this vulnerability. There are two exceptions though. ESX 4.0 and ESX 4.1 (mind you, not the ‘i’ version) run BASH. Although these versions are considered ‘End of Life’ by VMware, VMware will release a bugfix for shellshock. To this date, this bugfix has not yet been released, so keep an eye out for it.

Most VMware appliances that were released, are based on SuSE Linux Enterprise Server (SLES) and you guessed right when you thought you were in trouble. Almost all appliances are affected by ShellShock. This will mean that within the next few weeks or so, VMware will release a number of bug fixes for those appliances and you are strongly recommended to install them as soon as possible. In this knowledgebase article you can find a list of all the products that are affected and for which you can start planning your maintenance run soon

What can you do in the mean time? If you have any of the appliances mentioned in the list, published on the internet, consider seizing the publication until the bugfix has been released and installed. If you really really can’t live without public access to an affected appliance, try to use an application firewall or some sort of host based filtering to reduce the risk.

We will post as soon as fixes are released by VMware.

Courtesy of pcworld.com for the shellshock graphic