Order VPS Hosting
Order a VPS, Semi- dedicated or Dedicated server in Dallas, London or Australia.

Get Assistance
Ask our support team about your hosting requirements.


Host where the staff takes pride in making customers happy

I'd just like to say how impressed I am with your service so far. I've worked with a number of hosts over the years and I get a really good feeling about you guys.

- Rich (after a setup with our rails stack, we work hard to keep up that 'feel good' feeling) (#115/323)
Home > Support > Notices

Related Links

Notice Links:

Notices

CVE-2014-6271: serious bash vulnerability (shellshock)

PostedWed, 24 Sep 2014 21:59 PM UTC
Last UpdateTue, 30 Sep 2014 03:55 AM UTC (30 hours ago)
StatusOpen

Shellshock update at 30 Sep

What a busy few days!  Security researchers have found a few related bugs.  The most recent of those is as-yet undisclosed and unpatched by distros.

In the meanwhile we have created a deshellshock script (if you are a syadamin, please feel free to review and provide improvements at https://github.com/pbkwee/deshellshock ).

We are also working on a page where customers can review the status of our running that script on their servers.  So you can see if you were vulnerable (tip: you were) and whether we can detect any current vulnerabilities after applying any changes.

We will update this notice as we make more progress.  (Currently waiting on disclosure and fixes for CVE-2014-7186 and CVE-2014-7187).

Shellshock: the bash vulnerability

There is a vulnerability in most versions of bash.

http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html

Bash is used in a variety of ways.  Via web scripts.  OpenSSH environment variables.  And probably a number of other ways no one has thought of yet.  This means there are potentially many ways (vectors) this vulnerability could be exploited.

So it is very important to fix this issue.

Patching the vulnerability

To check if you are vulnerable (tip: you probably are):


env x='() { :;}; echo vulnerable' bash -c "echo if it says vulnerable \
above, you are vulnerable. If it says nothing or something about \
'error importing function' you are patched"

To fix it on Debian/Ubuntu:

apt-get update
apt-get install --only-upgrade bash

On Redhat-based distros:
yum install bash

If you are ok with upgrade all/other packages, then on Debian/Ubuntu (note this will likely restart services and update lots of packages):

apt-get update
apt-get upgrade

On Redhat-based distros:
yum update

If you are running Debian squeeze you may need to add in the squeeze-lts repository in order to get the updated bash package:

if [ -e /etc/apt/sources.list ] && grep -qai '^deb.*squeeze' /etc/apt/sources.list && ! grep -qai squeeze-lts /etc/apt/sources.list; then echo "
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free
" >> /etc/apt/sources.list
fi 

After upgrading bash, rerun the vulnerability check:


env x='() { :;}; echo vulnerable' bash -c "echo if it says vulnerable \
above, you are vulnerable. If it says nothing or something about \
'error importing function' you are patched"

If you are still vulnerable, pop in a ticket early next week and we can take a look.  Please don't contact us right now.  We are working on an auto-update solution for everyone.

The patch should not require a reboot or any service restarts.

What about older distros? RHEL4? Lenny? Slackware 1.0?

These are old distros, sometimes not well supported anymore.  Had you though about reinstalling with a newer, modern distro?

We are looking at options for these older distros.  We will update this notice if/when we find them.

Auto-patching

Because of the severity of the issue we may look at attempting to auto-patch the binary on servers where we have our RimuHosting key enabled (see https://rimuhosting.com/knowledgebase/rimuhosting/rimuhosting-ssh-access).

Because not all servers are the same, the auto-patch may not correct the problem on 100% of servers.  If you wish to guarantee the binary is patched, please follow the steps above.

If we have access to your server and you do *not* wish us to attempt to do an update please submit a support ticket with the subject of nobashupdateplease.  If you have already fixed the issue then the autopatch should do nothing so you should be fine to not send us a nobashupdateplease request.

Update @Sat 27 1225 UTC: We have started working on the autopatch script.  An early version is at https://github.com/pbkwee/deshellshock .  Please do not run that.  We will shortly be implementing a version of that on servers where we have not received the 'nobashupdateplease'' notice.  We hope to have a list of vulnerable and fixed servers shortly.

#

host987.rimuhosting.com drive failing

PostedWed, 24 Sep 2014 21:47 PM UTC
Last UpdateFri, 26 Sep 2014 03:01 AM UTC (5 days ago)
StatusOpen
Affected Serverhost987.rimuhosting.com

Update: Fri, 26 Sep 2014 02:59 AM UTC: The new drive also is showing errors.  We have ordered a replacement drive and will work on swapping that in once it arrives.

Update: Fri, 26 Sep 2014 02:50 AM UTC: The drive swap is now complete and raid is syncing.

Update: Fri, 26 Sep 2014 02:26 AM UTC: We are starting work on replacing this drive.  The host server has hotswap, we will not need to take the server offline to complete the drive swap.

host987.rimuhosting.com has a drive failing, we will be working on replacing the failing drive.  The host has hotswap drives, we do not expect any down time to complete the drive swap.

#