A new vulnerability, known as “Shellshock”, was recently discovered within Bash. This security hole needs to be patched immediately to avoid potential exploits of your Linux server.
- For PIAF, you can follow this thread for patches and announcement http://pbxinaflash.com/community/index.php?threads/bash-security-vulnerability.15679/
- Since majority of the OS that we host is based on Centos, you can also update your Bash packages from the command line by typing yum update –y bash.
- If you run FreePBX distro (older one), the patched Bash package is not available on older Release 6.x. It is only available on release 6.5. If you run an older release, you can manually download the Bash package and install them. Please download the Bash from known sources. Or follow this thread http://community.freepbx.org/t/cve-2014-6271-shellshock-bash-exploit/24431/34
- For Ubuntu OS, there is no yum. There is no need to install yum. You can run the following command: apt-get update && apt-get install bash
We also want to stress the importance of hardening your PBX security. Your PBX should not be accessible by everyone in the internet. It only needs to be accessible by your users. You can restrict the access by using your IPTABLES (aka Linux firewall). I know that many of our clients have done so especially those who run PIAF + TravelinMan3. For those PBXes, the risks are minimized considerably since they are only accessible by your users.
Friday, September 26, 2014