Page 1 of 1
Is Zimbra affected by Bash Shellshock?
Posted: Mon Sep 29, 2014 5:14 am
by bhwong
Zimbra itself may not be vulnerable but the Linux OS it is running on will likely to have vulnerable bash version already installed. Will this mean that the server itself is vulnerable? How can we verify if Zimbra server is safe? As long as there is no web services running? What about SSH?
Is Zimbra affected by Bash Shellshock?
Posted: Mon Sep 29, 2014 6:04 am
by ploeger
Well, you could just test out the usual Shellshock test by running:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
on your Zimbra server. If it says "vulnerable", you should simply update your bash version.
With that being said, I don't think, that the attack vector's that big. From what I know, Zimbra's mostly far away from running bash scripts as a result of a web request.
Is Zimbra affected by Bash Shellshock?
Posted: Mon Sep 29, 2014 7:18 am
by tonster
You should definitely update your OS, but we have not found Zimbra itself to be vulnerable to Shellshock. See
http://community.zimbra.com/support/sec ... shock-flaw.
Is Zimbra affected by Bash Shellshock?
Posted: Mon Sep 29, 2014 11:21 pm
by bhwong
Thanks! So the vulnerable can only happen thru web request and not SSH or any other services?
Unfortunately our Ubuntu 8 no longer has any update, less for Bash. There is a solution provided but not sure if this will break Zimbra:
http://leftyfb.com/2014/09/25/heres-how ... om-source/
Or I could take this opportunity to upgrade Ubuntu to 10, but I will need to reinstall Zimbra 7 for Ubuntu 10 right?
Is Zimbra affected by Bash Shellshock?
Posted: Tue Sep 30, 2014 5:12 am
by ploeger
[quote user="bhwong"]Thanks! So the vulnerable can only happen thru web request and not SSH or any other services?[/quote]
Rarely. There's a possibility if you use force commands in SSH, where you could override this limitation. Basically, all services are vulnerable, that at one time use bash and allow the user to specify environment parameters. I won't vouch for it, but I'm not seeing Zimbra anywhere there.
[quote user="bhwong"]Unfortunately our Ubuntu 8 no longer has any update, less for Bash. There is a solution provided but not sure if this will break Zimbra: [View:
http://leftyfb.com/2014/09/25/heres-how ... om-source/[/quote]:940:0]
Again, won't vouch for it, but it shouldn't bother Zimbra.
[quote user="bhwong"]Or I could take this opportunity to upgrade Ubuntu to 10, but I will need to reinstall Zimbra 7 for Ubuntu 10 right?[/quote]
Yes. You'll have to rerun the setup and optional post-setup tasks, that you might have in your environment.
So it's definitely something, you should check in a development environment first!