Tracking MPE/iX Vulnerability to Shellshock
October 17, 2014
Security experts have said that the Shellshock bug in the bash shell program is serious. So much so that they're comparing it to the Heartbleed breach of earlier this year. Many are saying Shellshock is even more of a threat.
Once again, this has some impact on HP 3000s, just like Heartbleed did. But you'll need to be managing a 3000 that's exposed to the Internet to see some risks to address as part of system administration. Web servers, domain name servers, and other net-ready services provide the opportunity for this malware. There's not a lot of that running in the customer base today, but the software is still sitting on the 3000 systems, programs that could enable it.
Authorities fear a deluge of attacks could emerge. The US government has rated the security flaw 10 out of 10 for severity.
Bash is open source software, and our expert on that subject Brian Edminster is working on a specific report about the vulnerabilities. Hewlett-Packard posted a security bulletin that points to a safer version of the bash shell utility. But that version won't help HP 3000s.
It's not that HP doesn't know about the 3000 any longer. The patching menu above shows that MPE is still in the security lexicon at Hewlett-Packard. But Edminster thinks the only way to make bash safe again on MPE might be to port it a-fresh. "The 3000's bash is version 2.04, but the version that's considered 'current' is 4.x (depending on what target system you're on)," he said. "So if v2.04 is broken, the code-diffs being generated to fix the issues [by HP] in late-model bash software won't be of much (if any) use."
The bug allows hackers to send commands to a computer without having admin status, letting them plant malicious software within systems.
HP has released a software update to resolve the vulnerability in HP Next Generation Firewall (NGFW) running Bash Shell. Version NGFW v1.1.0.4153 will fix the breach in that that product. But NGFW doesn't run on MPE/iX.
Edminster forwards this advice while he's working on his report.
It's most likely to be an issue for web services that use bash scripts to process web-page input for example, such as machines exposed to the Internet, and those that have services that can accept input from the 'net. I'll work to round up as many examples of potential places this can be felt on a 3000, so that folks know where to look.
Yep — this one is messy, because it's not quite so cut-and-dried as HeartBleed was.