PDA

View Full Version : Impact of CVE-2014-6271 and CVE-2014-7169 (Shellshock) on NetWare6.5 SP8



Lewis Rosenthal
27-Sep-2014, 22:14
Greetings, all...

I see that Novell has a handy security note out regarding CVE-2014-6271:

http://support.novell.com/security/cve/CVE-2014-6271.html

as it pertains to SUSE and SLE, as well as one for CVE-2014-7169:

http://support.novell.com/security/cve/CVE-2014-7169.html

Testing in a bash shell on one of my NetWare boxes, I've been pleasantly
surprised, though remain unconvinced that the older bash port is entirely
free of vulnerability, here.

Yes, I do have a couple SSL sites running on NetWare Apache (2.2.27), though
I don't believe that anyone is using mod_cgi or mod_cgid.

(BTW, if anyone needs patched versions of bash 3.0.27 for CentOS 4.8, I have
32 and 64-bit binary rpms on my FTP server:
ftp.2rosenthals.com/pub/CentOS/4.8 .)

Just curious as to what the consensus is regarding NetWare with this thing.

TIA

--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC www.2rosenthals.com
Need a managed Wi-Fi hotspot? www.hautspot.com
visit my IT blog www.2rosenthals.net/wordpress
-------------------------------------------------------------

ab
28-Sep-2014, 05:41
The concern with the bash shell is that services MAY be setup to run as
users which use those shells, and therefore be able to have things
injected into those shells. Nothing on NetWare uses bash by default,
because NetWare is not anything like Linux/Unix in its use of shells.
Sure, you can load bash for fun and profit on NetWare, but unless you
explicitly request it the bash.nlm file is never used. On NetWare I do
not think it is even possible to have any normal non-Bash environment
variable somehow be exported/inherited into a bash shell, though I've
never tried.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

Rachelsdad
16-Nov-2014, 02:56
Apologies for the late reply, and thanks for the thoughts, which do
concur with mine. Still, I'm thinking that I might bounce this off of
Guenter (and I owe him an email, anyway, which is long overdue). ;-)

Cheers


--
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
www.2rosenthals.com
------------------------------------------------------------------------
Rachelsdad's Profile: https://forums.novell.com/member.php?userid=5435
View this thread: https://forums.novell.com/showthread.php?t=479567