Resolving Bash vulnerability in Parallels Virtuozzo Containers and Parallels Cloud Servers : How to fix CVE-2014-6217 Bash "Shell Shock" vulnerability

Highly critical Bash code injection vulnerability CVE-2014-6217 was declared on 24th Sep, and a patch is not yet known to be available for Parallels Virtuozzo Containers and Parallels Cloud Servers.

If you have Virtuozzo or Parallels Cloud Server, the individual containers will have Bash; and if you haven't expressly patched it, assume that your server is vulnerable to hack. Containers typically operate with CGI modules, and they could allow commands to be passed on to Bash, thus opening the gates to hackers.

The engineers in our Proactive Server Management Services detected this threat on 24th, and patched all our Virtuozzo and Parallels Cloud Servers with the following steps:

Login to your hardware node terminal as root, and execute the below script.

#!/bin/bash

for CONTAINER in $(vzlist -a | egrep -w -v "1|CTID" | grep run | awk '{print $1}')
do 
if [[ -f /vz/root/$CONTAINER/etc/redhat-release ]]; 
then
 if [[ -f /vz/root/$CONTAINER/usr/bin/yum ]]; 
 then 
 echo $CONTAINER; 
 vzctl exec $CONTAINER "yum -y update bash";
 else
 echo "yum missing in $CONTAINER. Try again after running, vzpkg install $CONTAINER -p yum";
 fi; 
else
 echo "$CONTAINER is not RHEL flavor. Possibly Ubuntu or Debian. Modify script to run apt-get command.";
fi
done

This script lists the containers in the hypervisor, and executes the update command to upgrade bash. In some containers yum might not be present, and you might be required to install yum before continuing.

IMPORTANT : The above script is one of the variations we use to update servers. There is NO guarantee it will work in your server. If you are not sure what these commands are and are not comfortable executing these commands as root, consult a systems administrator.

This should protect your customers from the critical CVE-2014-6217 vulnerability, however, the VPSs will need to be patched again to be fully protected once a solution is available for the related CVE-2014-7169 vulnerability. We will update this post when a patch is available. When the patch is released, just execute the above steps again.

[ UPDATE ] - Patch for CVE-2014-7169 is now available. So, in case you have already ran the commands above, re-run them again to get the final patch.

Critical vulnerabilities are a fact of web hosting. Bobcares Proactive Server Management prevents zero-day exploits by configuring servers for managed auto-upgrades.

If you need assistance in securing your server, we would be happy to talk to you.