LiteSpeed Web Server Now Protected Against Shellshock

September 25th, 2014 by Security 2 Comments

Shellshock“Bigger than Heartbleed.” That’s what people are saying about Shellshock (CVE-2014-6271 and CVE-2014-7169). But LiteSpeed Web Server is now the only web server protect against Shellshock.

LiteSpeed is protected?

Yes! LSWS version 4.2.16 fully protects your server from Shellshock attacks through the web server. Upgrade now: /usr/local/lsws/admin/misc/ -f -v 4.2.16

This is LiteSpeed at its best: We take pride in lightning fast updates. Nobody likes security vulnerabilities, but, when they happen (and there’s been some big ones recently), you can rest secure knowing that we will always move swiftly to address them. As a commercial product, we have a team of dedicated developers that are always on call to provide the latest patches and updates. We were the first web server to patch for Heartbleed and we’re the first to patch for Shellshock. Neither Apache, nor NGINX can claim a patch for this Bash bug. That’s why you choose LiteSpeed — we’re here for you.

How is LiteSpeed protected?

In LSWS 4.2.16, if a request contains the environment variable string () { LSWS automatically ignores that environment value. Without this environment variable, the attacker has no vector. This means, if you use LiteSpeed Web Server, attackers cannot use HTTP requests to exploit the Shellshock vulnerability.

All web servers (LSWS, Apache, NGINX, etc…), as long as Bash is vulnerable, will have CGI scripts vulnerable to this Bash bug. As the current Bash patches are incomplete, we felt it important to take the extra steps to prevent attacks from coming in.

What about using ModSecurity to protect against Shellshock?

ModSecurity rules offer some protection against these Bash exploits, but you will have to block many different kinds of input and there may be ways to get around them. Running extra ModSecurity rules is also CPU intensive. For these reasons, we suggest upgrading to LSWS 4.2.16 instead of using ModSecurity rules to prevent Shellshock exploits.

So I upgrade LSWS and now I’m fully protected, right?

Just because LSWS is immune does not mean your server is completely protected. If a hacker can interact with your server without using the web server, they still may be able to use an environment variable to take advantage of vulnerable editions of Bash. You should still continue to update Bash. Patched versions of Bash have been released that partially fix the vulnerability. (Update: New patches have been released that now deal with CVE-2014-7169.) The correct versions for different Red Hat OSs are listed here.

Taking away the web server as an attack vector, though, prevents a large number of the easiest attacks, and it’s only available with LSWS. We are grateful for the trust that you put in us when you use LiteSpeed Web Server. We will always do our utmost to make sure we earn that trust.


Related Posts