My Favorites

Close

Please to see your favorites.

  • Bookmark
  • Email Document
  • Printer Friendly
  • Favorite
  • Rating:

SUSE SLE vulnerability with GNU Bash Remote Code Execution (aka ShellShock)

This document (7015702) is provided subject to the disclaimer at the end of this document.

Environment

  • SUSE Linux Enterprise Server 11 SP2 LTSS
  • SUSE Linux Enterprise Server 11 SP1 LTSS
  • SUSE Linux Enterprise Server 10 SP4 LTSS
  • SUSE Linux Enterprise Server 10 SP3 LTSS
  • SUSE Linux Enterprise Software Development Kit 11 SP3
  • SUSE Linux Enterprise Desktop 11 SP3
  • SUSE Linux Enterprise Server 11 SP3
  • SUSE Linux Enterprise Server 11 SP3 for VMware
  • SLES Expanded Support platform release 6.5
  • SLES Expanded Support platform release 5.10

Situation

SUSE has been made aware of a vulnerability affecting all versions of the bash package, which allows remote attackers to execute arbitrary code via a crafted environment (CVE-2014-6271 & CVE-2014-7169 ). Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.

Resolution

There are several options that may be used to fix this issue:

1.  Updating your entire system with the latest system updates:

To make sure that you have the patches relative to these issues, update the complete system to the latest patch level (preferred option) by running the following commands from a terminal, after verifying that you have your patch channels configured:
  • zypper ref -s
  • zypper up

SUSE recommends that you always apply updates and consider running the latest version. 

You can verify your current version by typing at a command prompt:

     cat /etc/*release

For more information on how to upgrade can be found in TID 7012368.

2.  Apply only the latest bash patches

If you prefer to update only the bash patches, use the following commands:

  • zypper ref -s
  • zypper up bash

3.  Updating an Expanded Support Platform

In case of SLES Expanded Support platform:

  • yum update

4. Applying CVE related fixes if you don't have LTSS maintenance:

Due to the nature of this issue, it was decided that patches would be made available to active subscription customers who don't have an LTSS agreement and are on SLES10SPx and SLES11SP1/SP2.  Some patches have already been released on (details below): https://download.suse.com/patch/finder/

If you can not find the downloads for your OS version please contact Customer Support.

Note: On Patchfinder you need to select the LTSS equivalent of your product. For example if you are on SLES 10 SP3, you will need to search under SLES 10 SP3 LTSS to find the patch. Your current SLES entitlement will allow access to these files. 
  

All downloads are available HERE.


Note:

Access to LTSS repositories requires additional subscriptions not covered by general maintenance.

Refer to  TID 7011670 for further help on how to add LTSS repositories once a subscription as been acquired

If you would like to know how to purchase LTSS should you need to remain on an old version, you can contact sales.  Please find information on the LTSS Program at https://www.suse.com/support/programs/long-term-service-pack-support.html


Additional Information

The patch for CVE-2014-7169 was released on the 28th of September 2014 (1PM CET)

Further information regarding these security issues can be found here:

Please note that the exploit test of CVE-2014-6277 mentioned on "shellshocker.net" is NOT valid for SLES systems that have been patched. The segmentation fault is certainly not nice, but note that the function was defined in the shell itself, not passed via an environment variable. Bugs in the evaluation code are not mitigated by the hardening patch, but they no longer have the potential to be abused.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7015702
  • Creation Date:26-SEP-14
  • Modified Date:09-OCT-14
    • SUSESUSE Linux Enterprise Desktop
      SUSE Linux Enterprise Server
      SUSE Linux Enterprise Software Development Kit

Did this document solve your problem? Provide Feedback

< Back to Support Search

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center