There have been a number of security advisories this week. In this post, we discuss the vulnerabilities, their impact to AeroFS customers, and the steps that customers should take to mitigate their risk.
To summarize: Private Cloud Customers should upgrade their appliance to
0.8.67 0.8.68 as soon as possible. The updated appliance image can be downloaded from the Private Cloud licensing dashboard.
Our upgrade support article will walk you through upgrading your appliance.
CVE-2014-6271 and CVE-2014-7169 – Bash vulnerabilities
The Bourne-Again Shell, or Bash, is the default shell on many Linux systems. A bug in how Bash parses environment variables could cause it to execute arbitrary code on process startup when its environment contains a specially-crafted string.
By itself, this is not a big problem, as in general, if you’re controlling the environment of a process, you’re already the user spawning it, so this isn’t violating any trust boundaries.
Unfortunately, the issue gets much more alarming when we consider how people deploy systems and services. Environment variables are also used for communicating a variety of options in the normal function of software. In particular, the Common Gateway Interface (CGI), used widely for interfacing with web backends, passes HTTP request parameters to a handler through environment variables.
This in itself wouldn’t be a problem unless you were generating web pages with bash, which is not a common practice. But again, there’s another catch: environment variables are passed from parent processes to their children. This
means that even if your web page backend isn’t written in bash, if it does anything which potentially spawns bash, or runs a command or script in a shell, then you’re vulnerable again, and a special request can make your server do pretty much anything.
AeroFS follows the good security practices of minimizing subprocesses in web services and avoiding calling other processes via a shell. We also do not use the CGI interface for our web services. As a result, AeroFS Hybrid Cloud and AeroFS Private Cloud are not affected by this particular attack vector.
Unfortunately, CGI is not the only time that remote-supplied data gets placed into the environment. In particular, a tool called dhclient is widely used to configure networking automatically. It runs certain scripts with bash, and passes options from the DHCP server to these scripts through environment variables. As a result, an attacker running a malicious DHCP server on the
same network can potentially affect these systems.
Impact and mitigation
While AeroFS Hybrid Cloud servers run on a controlled network, AeroFS has patched all Hybrid Cloud servers as a precautionary measure, in case there are currently-unknown attack vectors.
AeroFS Private Cloud customers may be affected, however. Customers running their Private Cloud appliance on an untrusted network, or on a network which also contains untrusted devices, are at risk.
We have published version
0.8.67 0.8.68 of the AeroFS Appliance, which contains an updated copy of bash with fixes for both CVE-2014-6271 and CVE-2014-7169. Private Cloud Customers should upgrade their appliance to 0.8.67 0.8.68 as soon as possible. While keeping your appliance on a private, trusted network should mitigate the risk from known attack vectors, it is wise to inoculate your deployment from unnecessary future risk.
CVE-2014-6273 – apt download vulnerability
Apt, the Advanced Packaging Tool, is widely used on Debian, Ubuntu, and other derivative systems for tracking, fetching, and applying software updates. A buffer overflow bug in the code which downloads updated packages could be triggered by a malicious man-in-the-middle HTTP server or proxy, causing apt to crash, and potentially causing arbitrary code execution.
Impact and mitigation
At AeroFS, we use apt to install and update software on our Hybrid Cloud servers. In response to the vulnerability, we immediately applied the vendor-provided upgrade to the various affected components on all Hybrid Cloud
servers. Hybrid Cloud customers do not need to take any action. AeroFS Private Cloud systems and customers are unaffected, as we do not currently run apt in any way after the appliance image is created.
XSA-108 – Xen vulnerability
The Xen hypervisor has some security advisory. Following security best practices, details of the vulnerability have not been made public, but they have been released to major vendors of large-scale deployments under embargo, so that the most significant risks can be patched around or mitigated before the vulnerability is made public.
In particular, Xen is frequently used in infrastructure offerings, including Amazon’s EC2. In response, Amazon is performing emergency maintenance, including rebooting a significant fraction of their servers. As a result, many Amazon customers will see their instances reboot, and may see some temporary downtime during their scheduled maintenance window.
If you’re running an AeroFS Private Cloud appliance on EC2, it’s likely that your instance will be affected by the reboots.
Impact and mitigation
If you’re an AeroFS Hybrid Cloud customer, be aware that there may be some downtime for Hybrid Cloud as Amazon upgrades their fleet over the next week. While sharing, API access, the website, and other administrative tasks may be
disabled, syncing between your devices will continue to work even during the outage.
If you’re an AeroFS Private Cloud customer, and you run your appliance on Amazon’s EC2 or another Xen-based infrastructure provider: expect guidance from your provider on whether you’ll need to reboot your instances in the near future.
Stay safe out there
This has been a big week on the security front, and a lot of engineers have been very busy trying to get fixes for these issues to users as quickly as possible. It’s important to apply security updates as described.
— Drew & the AeroFS Team