2 Replies Latest reply on Sep 26, 2014 6:45 PM by nicole pauls

    Bash shell vulnerability in LEM

    jamie_p

      Been reading about this Bash shell vulnerability that could be exploited so ran the test on my LEM appliance and confirmed it is also affected by the bug.  Will an update be released?

       

      http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/

        • Re: Bash shell vulnerability in LEM
          nicole pauls

          Hi Jamie,

           

          We are investigating the issue internally. Assuming like you say the LEM appliance is vulnerable, there are a few mitigating factors:

          1. LEM customers use a limited access shell to manage and maintain LEM, which does not use bash except when running external shell commands to make changes.
            1. This shell also does not allow customers to set or modify environment variables, so even when we do shell out commands, it shouldn't be possible to trigger the exploit.
          2. It is possible to limit SSH access to LEM (for the limited shell or support-only users that have true bash shells) via the "restrictssh" command.
          3. The last remaining vector for usage of the limited (or support) shell is the virtual appliance equivalent of physical access, which should be limited.

           

          When we've determined the scope and resolution, we'l determine when the update will be released as well. Stay tuned....

          • Re: Bash shell vulnerability in LEM
            nicole pauls

            In case you missed it: ShellShock Vulnerability and SolarWinds Products

             

            LEM does have a vulnerable bash version, but it is not possible to exploit. We'll update in an upcoming release regardless.