Liviu Chircu
2014-10-01 18:56:23 UTC
Hello all,
The following email addresses a serious security issue (10/10 note on
severity) which may/may not affect existing
OpenSIPS-based platforms. [1]
The issue was disclosed in September and is commonly named "Shellshock".
You can read all about it on Wikipedia [2].
Long story short, it is a GNU Bash vulnerability in the code which
handles environment variables.
It also seems that under the "right conditions", any version of an
OpenSIPS server can be vulnerable to this exploit.
The following are the "right conditions":
* your /bin/sh is vulnerable to Shellshock. You can test this with
the following command:
env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'
* your OpenSIPS uses the "exec" module
* you have not disabled the "setvars" modparam of exec [3]
If *all* of the above conditions are true, then you are vulnerable to
some cleverly crafted INVITE requests. An attacker
could remotely execute code with the privileges of your OpenSIPS daemon
user!
Ways to fix the issue (*any* of them is enough):
* upgrade your bash shell to a non-vulnerable version
* if you are not using the environment variables in your exec
scripts, then skip them:
modparam("exec", "setvars", 0)
Note on broken backwards-compatibility:
We have disabled the "setvars" parameter by default in all
supported OpenSIPS versions. If you were using the
environment variables in your exec scripts, make sure you update your
OpenSIPS script and bash shell after
performing an upgrade to the daily OpenSIPS builds.
[1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
[2]: http://en.wikipedia.org/wiki/Shellshock_(software_bug)
[3]: http://www.opensips.org/html/docs/modules/1.12.x/exec.html#id248413
Best regards,
The following email addresses a serious security issue (10/10 note on
severity) which may/may not affect existing
OpenSIPS-based platforms. [1]
The issue was disclosed in September and is commonly named "Shellshock".
You can read all about it on Wikipedia [2].
Long story short, it is a GNU Bash vulnerability in the code which
handles environment variables.
It also seems that under the "right conditions", any version of an
OpenSIPS server can be vulnerable to this exploit.
The following are the "right conditions":
* your /bin/sh is vulnerable to Shellshock. You can test this with
the following command:
env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'
* your OpenSIPS uses the "exec" module
* you have not disabled the "setvars" modparam of exec [3]
If *all* of the above conditions are true, then you are vulnerable to
some cleverly crafted INVITE requests. An attacker
could remotely execute code with the privileges of your OpenSIPS daemon
user!
Ways to fix the issue (*any* of them is enough):
* upgrade your bash shell to a non-vulnerable version
* if you are not using the environment variables in your exec
scripts, then skip them:
modparam("exec", "setvars", 0)
Note on broken backwards-compatibility:
We have disabled the "setvars" parameter by default in all
supported OpenSIPS versions. If you were using the
environment variables in your exec scripts, make sure you update your
OpenSIPS script and bash shell after
performing an upgrade to the daily OpenSIPS builds.
[1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
[2]: http://en.wikipedia.org/wiki/Shellshock_(software_bug)
[3]: http://www.opensips.org/html/docs/modules/1.12.x/exec.html#id248413
Best regards,
--
Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com
Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com