LiteSpeed update released against Shellshock vulnerability

A critical code execution vulnerability affecting BASH has been discovered on September 24, 2014 in CentOS based servers. To fix this problem, you need to update BASH to the latest version. BASH version less than bash-4.1.2-15.el6_5.1.x86_64 seems to be vulnerable. LiteSpeed has now released their latest version which is patched against Shellshock vulnerability.  The LiteSpeed version 4.2.16 is patched against this vulnerability. Upgrading the LiteSpeed version to 4.2.16 does not mean your server is free from vulnerability. You should also update BASH to completely fix this.

Technical Aspects

In LSWS 4.2.16, if a request contains the environment variable string () { LSWS automatically ignores that environment value. Without this environment variable, the attacker has no vector. This means, by using LiteSpeed Web Server, attackers cannot use HTTP requests to exploit the Shellshock vulnerability.

All web servers (such as LSWS, Apache, NGINX, etc.), as long as BASH is vulnerable, will have CGI scripts vulnerable to this Bash bug. So you need to update BASH to the latest version as well as need to update LSWS to 4.2.16.

How to fix Shellshork vulnerability in LiteSpeed WebServers?

1, SSH to the server as root
2, Check whether your server is vulnerable

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you get the following message your server is vulnerable

[root@testvps ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

To fix this, update BASH

yum clean all && yum update bash

For more details “Shellshock vulnerability

For LiteSpeed WebServers, update LiteSpeed to 4.2.16

/usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.16

That’s it 🙂

Related:

1, Critical BASH vulnerability discovered
2, Open SSL Heartbleed vulnerability

,

Post navigation

Heba Habeeb

Working as a Linux Server Admin, Infopark, Cochin, Kerala.

Leave a Reply

Your email address will not be published. Required fields are marked *