LoadMaster Vulnerability Mitigation for CVE-2014-7169 and CVE-2014-6271

Updated September 27th 2014

 

As you may have seen reported elsewhere, an unauthorized disclosure of information vulnerability (dubbed “shellshock” in the press) has been discovered in the Unix Bash shell, affecting a wide variety of MAC OS X and Linux OS’s, applications and appliances. This vulnerability may allow an attacker to remotely execute malicious code and server side CGI applications by asking the system for basic information.  Details on the vulnerability can be found at NIST National Vulnerability Database and RedHat’s SecurityBlog.

KEMP has confirmed that the WUI of LoadMaster is vulnerable to authenticated users (knowledge of account credentials is required). No vulnerabilities have been found with unauthenticated users. LoadMaster version 7.1-20b mitigates the vulnerability. There are a number of performance enhancements available in version 7.1-20b and this is the recommended version for customers looking to protect against the risk. Version 7.1-20b mitigates shellshock by preventing remote commands from successfully executing, even by authenticated users. As always, for any version of LoadMaster, it is strongly recommended that the management interface be protected and not exposed to the internet.

Specific to Shellshock, the non-exhaustive list below provides context around potential vectors by which the vulnerabilities could be exploited in LoadMaster. Based on ongoing improvements to LoadMaster, these were already addressed in version v7.1-16:

  • There is no ability for root access to be gained via any LM account though file system read-only access can be gained with knowledge of the bal credentials. This read-only access is also modified in version 7.1-20b.
  • It is not possible to pass environment variables through to the LoadMaster via SSH.
  • DHCPD is not applicable because the DHCP daemon does not call any shell scripts.

Patching:

Customers at LoadMaster version 7.x should patch directly to version 7.1.20b. Customers at version 6.x will first need to upgrade to version 6.0-42 before upgrading to version 7.1-20b. Installation details can be found at https://support.kemptechnologies.com/hc/en-us/articles/201294935-LoadMaster-V7-1-20b-Is-Now-Available

 

For additional information and alternative download versions please contact KEMP Support.

We will be continuing to monitor this vulnerability in the coming days and weeks and provide relevant updates on new developments. Please provide any suggestions and feedback you may have.

KEMP is committed to resolving security vulnerabilities carefully and quickly.  If you think you have found a security flaw in a KEMP product, please send all supporting information to securityalert@kemptechnologies.com .

Was this article helpful?

0 out of 2 found this helpful

Comments

Avatar
maik

I think you are a bit premature with this. Consequences of this bug cannot so easily be understood. If you think Loadmasters aren't vulnerable, how then is this possible?
http://musall.de/files/tmp/kempvuln.png

Avatar
Lucas Jans

Can we get a response @Kemp. I have clients clamoring for an answer and I would be embarrassed if I changed answers later.

Avatar
maik

My take is: the page is shelling out to generate the website's title, and they didn't think of this. Which proves my point exactly: anybody who's stating today that they are not affected is bound to be in error, because right now research is still going on, and nobody has a complete picture of how this bug might be exploited, yet.

I strongly advise to tell customers that potential vulnerabilities are still being investigated. This type of bug is not something that you can check quickly and be done with it.

In any case, Kemp does, like everyone else, need to update their systems.

Avatar
maik

Kemp, your statement please, now. I'm not sure I really have to point out that I can get a remote root shell through this?

bash-3.00# cat /etc/issue

LoadMaster from KEMP Technologies
(c) 2002-2013 KEMP Technologies
Version 7.0-10

bash-3.00# uname -a
Linux hostnameredacted 2.6.35.13 #1 SMP Fri Nov 1 14:00:48 UTC 2013 i686 i686 i386 GNU/Linux
bash-3.00#

Avatar
Derek Kiely

Thank you for your input and valuable feedback on the subject.

Here are the vectors which we have addressed on LoadMaster:

• In the case of the Web User Interface (WUI), our continued security hardening in version 7.1-16 and later addressed this by removing the ability for root access to be gained via any LM account though file system read-only access can be gained with knowledge of the bal credentials. This read-only access will also be modified in a future release.

• It is not possible to pass environment variables through to the LoadMaster via SSH.

• Aside from the bal admin account, which has access to the shadow file, the only other relevant account in the shadow file is pwreset which is used for password reset operations only. This account is only usable via console access and cannot execute operations remotely.

• DHCPD is not applicable because the DHCP daemon does not call any shell scripts.

A version of Bash that provides complete resolution for CVE-2014-7169 and CVE-2014-6271 is not yet available. That said, we believe that our current status in versions 7.1-16 and onward mitigate the vulnerabilities. A fix will be made available today for our long term support LoadMaster version, 7.0-10, to mirror the vulnerability mitigation available in later versions.

Avatar
maik

A patch that also fixes CVE-2014-7169 is available for all bash versions here:
http://seclists.org/oss-sec/2014/q3/734

Another possibility is, if you can do without the feature of functions in env variables, to remove the entire feature:
http://pastebin.com/mT7hY37Z
https://bugzilla.novell.com/attachment.cgi?id=606672&action=edit

However, as usual, people are finding more stuff that's wrong with bash while they're at it, so it could make sense to wait a few more hours:
http://seclists.org/oss-sec/2014/q3/712

Avatar
Derek Kiely

The approach we have taken is to prevent access to bash within our system, based on the vectors detailed in these CVE's we believe that we have achieved this in 7.1-16 onwards. We will update the bash version in a future release and again thank you for the valuable feedback and recommendations.

Avatar
Derek Kiely

In addition to the aforementioned, KEMP has also released 7.1-20b to further mitigate the potential vectors exploited by "shellshock"

7.1-20b is available for download here - https://support.kemptechnologies.com/hc/en-us/articles/201294935

Avatar
Chris Phillips

Just in case anyone's interested (I was), I think that HTTP Request tool pictured, is probably Web-Sniffer (http://web-sniffer.net/app.html).

Avatar
justin.yaple

Just wondering if your going to release updates for the LM-GEO soon too? GA is 2.2-20a and the release notes don't mention anything about resolving CVE-2014-7169 And CVE-2014-6271.

Avatar
Derek Kiely

Version 2.2-20b has been released that has a fix for ShellShock