Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4799: Are Centrify Server Suite Products / Components affected by CVE-2014-6271 ( Bash ShellShock )?

Centrify DirectControl ,  

12 April,16 at 11:07 AM

Applies to:
 
All versions of Centrify DirectControl
 
Question:
 
Are Centrify Server Suite Products / Components affected by CVE-2014-6271 ( Bash ShellShock )?
 
Answer:
 
This vulnerability does exist in bash shell. For more details, please see the below link provided as a courtesy.
 
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
 
However:
 
1) Centrify does not own the bash shell. 
 
2) Centrify does not redistribute bash, or any variation of it. 
 
The OS vendors will have to address fixing bash itself. 
 
For Centrify Server Suite of products:
 
Additionally, 
 
a) Centrify's Dzsh is variation from BSD Bourne shell. It is not bash. It does not have this issue. 
 
b) Centrify's Dash (Direct Audit shell) is actually a shell in name only. It does not execute anything, nor set environmental variables. It is a Centrify written code to
decide if to audit session, and if so, to set up the structures to do so. 

Note:  If customer is running DirectAudit 1.x or 2.x (i.e., Suite 2012.3 or earlier) and configured to do shell auditing, please disable shell auditing before applying the patch to bash and re-enable shell auditing afterwards.  The command dacontrol can be used to enable/disable DirectAudit (see output of ‘dacontrol –help’ for detailed usage information).

 
c) Centrify's  dzdo is not affected however please be aware of the note.
 
Note: All shell scripts that invokes /bin/sh on RedHat will actually invoke bash and therefore will be affected.
 
/usr/share/centrifydc/bin/dzdo is actually a shell script that invokes the real dzdo (/usr/share/centrifydc/libexec/dzdo) as shown below.
 
--------------------------------------
[username@localhost]$ cat /usr/share/centrifydc/bin/dzdo
#! /bin/sh
 
unset _
LD_LIBRARY_PATH=/usr/share/centrifydc/lib64:/usr/share/centrifydc/kerberos/lib64
export LD_LIBRARY_PATH
exec /usr/share/centrifydc/libexec/dzdo "$@"
--------------------------------------
 
d)  If customer is using the dzdo validator feature in dzdo, a user can exploit this vulnerability since the validator is run as a shell script. This is due to the
vulnerability in bash.
 
Customers are STRONGLY advised to apply the bash fix ASAP.  Otherwise, they are advised to do the followings:
 
1.  Use /usr/share/centrifydc/libexec/dzdo directly, not by way of the script.
 
2.  Disable the dzdo validator feature in dzdo by comment out these lines in /etc/centrifydc/centrifydc.conf:
 
Dzdo.validator: /usr/share/centrifydc/sbin/dzcheck
Dzdo.validator.required: true
 
Definitions:
 
The dzsh restricted environment shell is a customized Bourne shell for DirectAuthorize  that provides environment variables, job control, command history, and command access as  defined by DirectAuthorize roles. The restricted environment only allows the user to run  the specific commands that have been defined in the user’s assigned DirectAuthorize roles. 
 
DirectAudit 1.x uses a shell wrapper named “dash”. The DirectAudit 1.x dash shell creates a symbolic link pointing “/bin/sh” to “/bin/dash” (Centrify dash).
Centrify has since renamed the dash shell to “cdash” in version 2.x and higher
 
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.