Patching for shell shock 1

[rejackson]

Surprised no one is talking about this. Since this is a customer installed patch I have been looking at it hard. We have client agreeements about the security of our network so we have to do it when the patches come out.

In general I can do the patching process but this is my first one since we moved from CM 3 to CM6+ with SYS MGR, SSN MGR, and Platforms.

I have 56 LSPs rated as highly vulnerable. Each has a platform and a VM with CM on it. Add in the other stuff at the HQ and I have about 115 servers to patch. I have a vague memory of a sales person telling me that updates only had to be made at the main servers and the LSPs would get updated. I am thinking that must be in the CM not the underlying operating system which is where the vulnerability lies.

Does anyone have any comments about how they plan to deal with this or why they dont think they need to?

Thanks
Richard

 

[dialtonebone]

You need to load the shellshock patch to all your LSP sites and to your core CM servers. Each of these on CM6.x + will have at minimum VSP (dom0/cdom), CM, and most likely you will have a VUS (Utility Server) and a SAL Gateway/Services Server. Each of these needs an update individually. If the LSP's are sitting on an S8300D, then you probably also have to update Branch Session Manager. This is just the core PBX, not including anything else you may have (AAM, AES, SM, SMGR etc)

Translations come from the core and auto update on the LSPs, but this update is only translations. It does not carry updates out. You can perform the LSP updates during the day without much harm.

Reasons to not do this? There really aren't any. From a personal test of my own, I can assure you that CM6 is vulnerable to shellshock via the web interface. I couldn't do much more than get a shell under the user apache, but I also wasn't trying anything but proof of concept. Other conduits into the system probably exist.

 

[rejackson]

Thanks Randy,

Looks like a lot more systems than I thought. 4 in each LSP. I cannot figure out why they call the cdom a platform when it shows up in the VM server list. Then there is the BSM server. Seems like that would be on the list too.

 

[dialtonebone]

@rejackson -- I'm not sure either but I'm sure there is some answer. Maybe it is a xen/xm thing?

 

[rejackson]

So with 56 LSPs I have lots of units I can work on without any danger. I picked one and did the dom0 and cdom patches, then the CM patch. The utility patch is not available yet. At least is was not there 3 hours ago. I did the command line verification on the cdom and dom0. The web server management patch list shows the CM patch but does not show the patches on the platform. I guess they are buried somewhere below what this page can see. By my count that is 3 servers down, 226 to go.

Server Management
Patch List

System Platform
Patch ID Description Status Service Affecting
vsp-patch-6.2.2.08001.0 SP patch Active Yes

Templates : CM_SurvRemoteEmbed
No Patch Available

cm
Patch ID Description Status Service Affecting
02.0.823.0-20396 patch 20396 for 02.0.823.0 Active Yes
02.0.823.0-21905 fix for shellshock bug Active No
KERNEL-2.6.18-238.AV2a kernel patch KERNEL-2.6.18-238.AV2a Active Yes

utility_server
Patch ID Description Status Service Affecting
620115 Util_Patch_6.2.0-1.15-01.noarch.rpm Active No
626015 Util_Patch_6.2.6-0.15-01.noarch.rpm esd-6.0-12.i386.rpm Active No

bsm
No Patch Available

 

[montyzummer]

i built a 6.3 cm yesterday(lsp) and could see the platform and CM patch from sys platform , i performed im guessing the same bash echo "this is a test" as you did and all came back ok on all three (xen, cdom ,cm), that said avaya have now said that the cm patch on some builds is ineffective , regarding utility server for months its had major pen test vulnerabilities(internal testing denied by avaya but so obvious ....well its obvious) , so if you can disable it i would .... on a separate note with the shell shock Avaya have been i think responsive informative and tried to keep us in the loop so just keep plugging away , apply the patch run the echo test if it fails raise an emergency SR ( as far as im concerned its an emergency if the patch aint working .. im sure avaya will view it that way to too you may have to spend some time providing build /environment info but what the hell lets get our customers protected)

APSS (SME)
ACSS (SME)
ACIS (UC)

 

[wpetilli]

Perfect thread-- I have a bunch of cm6.0.1 sp8.01's and a few cm6.3.5's.

Since I'm not on CM6.0.1 sp11.01 can I still install this shell shock patch? I'd rather not upgrade to sp11.01 since I'm sooner than later migrating to vmware and on 6.3.x.

If I'm building a 6.3 from scratch do you still follow the same process and then add this shell shock fix last?
1.base Sys plat
2.Sys Plat SP
3.base CM
4.CM SP
5.Kernel
6.Plat
7.Bash??

 

[montyzummer]

correct as per the psn but the bash needs to be done on dom 0 first then cdom under root user

APSS (SME)
ACSS (SME)
ACIS (UC)

 

[wpetilli]

The PSN specifically mentions the generic overall version of sys plat 6.0.3.x, but is a little vague on CM. I'd rather not have to upgrade CM and just install this patch on top.

 

[montyzummer]

That would have to be a question put to avaya , however i applied the patch to a 6.0.1 sp 8 cm and all is fine , just ensure that you follow the process documented dom0 , cdom , then cm ..... that being said obviously you want to be on sp11 ASAP as if you get any issues or hacked and you have told the customer they are safe you may well find yourself in trouble..... but again when the bash patch is applied to cm you are covered and my system on SP8 has been ok for over a week ... its a duplex core heavy call center loaded kit 1000 plus agents 600 sip trunks and all has been sweet since the bash patch .... but seeing as you are going to service affect the cm with the bash patch anyway why not just get them both done anyway because you are going to need a maintenance window for down time which ever way you do it.

APSS (SME)
ACSS (SME)
ACIS (UC)

 

[wpetilli]

Noted, thanks.

 

[wpetilli]

I also see in the matrix they reference cm6.3, with patch 21904, but when you click on that link to the document, it only mentions up to cm6.2

 

[montyzummer]

Just bad wording read the below 6.3 is covered .. see this link and read the text below just to satisfy yourself

https://support.avaya.com/downloads...contentId=C2013552235521790_7&productId=P0001

Avaya Aura® Communication Manager 5.x, 6.x High Install the security patch as described in PSN020149u.

This problem occurs in Avaya Aura
®
Com
munication Manager (CM)
Release
s
5.0
–
6.3

Communication Manager 6.3 Bash Shellshock Patch

This patch is a hot patch (non-service affecting) and over-writable (designed to be activated on top of currently activated CM patches/SPs). However, it is recommended that the patch be activated using the same instructions provided in the “Finding the installation instructions” section of PCN1798S.

NOTE: This patch is customer installable and remotely installable.

NOTE: Do not deactivate any existing CM patches or service packs running on the system before activating this patch. This patch is an over-writable patch and designed to be activated on top of currently activated CM patches/SPs.

File name - 03.0.124.0-21904.tar
File size - 3640 KB (3,727,360 bytes)
MD5 Sum - 00d4d00889e0fbd9e1b81acc07905fc5

ASA-2014-369 - Avaya Security Advisory for Bash vulnerability




APSS (SME)
ACSS (SME)
ACIS (UC)

 

[cgogan13]

I'm preparing to apply PSN027007u to the platform (dom0, cdom) and PSN020149u to CM. My question is does anyone have the commands to back them out if there are any issues?

 

[cgogan13]

One more question, is 03.0.124.0-21904.tar a kernel patch or a regular patch?

 

[cgogan13]

Or is it considered a security patch? I'm reading the Managing Patches instructions and it's as clear as mud! The patch notes say "NOTE: Do not deactivate any existing CM patches or service packs running on the system before activating this patch. This patch is an over-writable patch and designed to be activated on top of currently activated CM patches/SPs." Does that mean that I should not execute the Pre Update/Upgrade step? I'm guessing that's what this means but am hoping someone can give me a definitive yes or no

 

[wpetilli]

There are specific instructions for specific CM versions. What version are you looking to apply this to? Most of the docs I've read don't involve any pre steps and this patch just gets installed on top of what you already have. As far as the backout.. if the checkout commands do not produce the expected results it sounds you'll have to call AVAYA.

 

[cgogan13]

I am referencing the guide Deploying Avaya Aura Communication Manager on System Platform for 6.3 (the version I am on). The section the PCN pointed me to, Chapter 10, references kernel patches, regular patches and security patches. For the Regular patch, step 4 is to click Server Upgrades > Pre/Update/Upgrade Step. The Security patch steps do not include this step but other than that are basically the same.

I am also struggling to get the patches uploaded to the servers. The patch for 6.3, 03.0.124.0-21904.tar, is not on PLDS and I cannot get the file to copy to vsp-template folder on dom0. I see that some users on this thread have successfully patched their CM, how did you upload the files?

Thanks everyone.

 

[montyzummer]

uploaded the bash via winscp to cdom and dom0 the patch for cm I burnt to dvd and installed from there as its quite large from web page of sytem platform

APSS (SME)
ACSS (SME)
ACIS (UC)

 

[cgogan13]

Great, thanks. The last piece I'm missing is a blackout option. Is there a way to reverse the bash install from the cdom and dom0?
Thanks