Bash CVE-2014-6271, CVE-2014-7169 vulnerability

Dear customers,

We are aware of a security issue with Bash, which is distributed as the default shell for the operating systems like Linux, which PBXware is based on.

PBXware, SERVERware and TELCOware are affected by this bug, but only in the Setup Wizard, and only if malicious users already have your servers ‘root’ credentials.

If users are not authenticated as root in Setup Wizard, the system is not vulnerable (as no shell is executed at that point).

However small this potential vulnerability is in our case, we did not want to take any chances so we already created the patch.

To patch your PBXware Setup Wizard:

/opt/httpd/sh/stop

cd /opt/httpd/bin

mv mini_httpd /root/mini_httpd.bak

wget http://downloads.bicomsystems.com/cve-2014-6271/pbxware/v3.8/mini_httpd

chmod +x mini_httpd

/opt/httpd/sh/start

To patch your PBXware 38x:

cd /opt/pbxware/pw/bin/

mv bash /root/old.bash

wget http://downloads.bicomsystems.com/cve-2014-6271/pbxware/v3.8/bash

chmod +x bash

For older version we include the proper links at the end.

To patch your SERVERware 1.7.3.r15 or Newer:

To apply Setup Wizard security patch to your SERVERware 1.8 or 1.7 r15 and later,

login to your SERVERware Controller GUI and navigate to System ->

Updates and use your root username and password to authenticate.

When updates screen is displayed, select checboxes U and R next to Setup Wizard only, and press Start button.

After update is complete you can close your browser window.

To patch your SERVERware Controller (Only) 1.7.2x or Earlier Manually

/home/servers/httpd/sh/update

user: serverware

pass: update

/home/servers/httpd/sh/stop

/home/servers/httpd/sh/start

 

## Earlier PBXware Version Available

Download link for mini_httpd:

http://downloads.bicomsystems.com/cve-2014-6271/pbxware/v3.0/mini_httpd

http://downloads.bicomsystems.com/cve-2014-6271/pbxware/v3.1/mini_httpd

http://downloads.bicomsystems.com/cve-2014-6271/pbxware/v3.8/mini_httpd

Download link for bash in chroot environment:

http://downloads.bicomsystems.com/cve-2014-6271/pbxware/v3.0/bash

http://downloads.bicomsystems.com/cve-2014-6271/pbxware/v3.1/bash

http://downloads.bicomsystems.com/cve-2014-6271/pbxware/v3.8/bash