New VCP5-DCV Delta Exam

Yesterday, I got a message from VMware Education that they are offering an online VCP5-DCV recertification exam for a limited time. For any of you who have a VCP5 that is set to expire in the spring (that is most of you!), this is a terrific way to get recertified!

Here is the information from the VMware education site: https://mylearn.vmware.com/mgrReg/plan.cfm?plan=51919&ui=www_cert

VCP5-DCV-Delta Exam

Download the exam blueprint here. After a quick review of the exam blueprint, it appears that the objectives are approximately the same, however the VCP550D exam has 65 questions with 75 minutes to complete, while the VCP550 exam has 135 questions and a time limit of 120 minutes.

Here is a link to the Pearson Vue VCP550D exam page: https://www2.pearsonvue.com/testtaker/registration/ExamSeriesDetailPage/VMWAREINC/200140.

Pearson-VCP550D

VMware Education’s Recertification Policy has other avenues for recertification for those of you who are interested in advancing to the Advanced Professional level (VCAP) or may be interested in broadening your certification with additional Professional level (VCP) certifications in Cloud, End User Computing or Network Virtualization.

Note that the offer is only good through November 30, 2014.

Shell Shocker BASH vulnerability links

A flaw in Bash, the most common Linux command shell, from 22 years ago that was discovered and incompletely patched earlier this year is reported to pose a very severe threat to systems that include it. If you use a BASH shell in Linux or other derived operating system like Android or Apple OS X (like me and I am sure many of you!) you are probably vulnerable.

According to Mitre:
vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Am I vulnerable?
Edit for the time being: You are. No complete public fix has been posted yet, for the new CVE (CVE-2014-7169). The instructions I give below are only sufficient to close off part of the vulnerability.
There is an easy check. Open a terminal and paste the following:
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
It simply sets the environment variable called x to the value ‘() { :;}; echo vulnerable’. It then invokes bash asking it to echo back the word hello. The value of x that is set is a function definition that should do nothing. However, it is crafted to try to run ‘echo vulnerable’ at parsing of environment at bash start-up, which just prints vulnerable to standard out.

If you are not vulnerable, then the following will be shown:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello

If you are vulnerable, then you will see:
vulnerable
hello

Here is a link to more information from the Register: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
Here is an article from TrendMicro that also describes the vulnerability: http://blog.trendmicro.com/trendlabs-security-intelligence/shell-attack-on-your-server-bash-bug-cve-2014-7169-and-cve-2014-6271/

Several of the vendors we have partnerships with are investigating their products to determine their vulnerability and response.

F5 has posted the security advisory: http://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html
VMware has posted in their security and compliance blog that they are investigating: http://blogs.vmware.com/security/2014/09/vmware-investigating-bash-command-injection-vulnerability-aka-shell-shock-cve-2014-6271-cve-2014-7169.html
Red Hat has posted a very good description ion their security blog: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
Another Red Hat post: https://access.redhat.com/articles/1200223

Here are links to the advisories and repositories from the US Government:

US Computer Emergency Readiness Team (US-CERT) Advisory: https://www.us-cert.gov/ncas/alerts/TA14-268A
NIST-National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
Mitre Common Vulnerabilities and Exposures (CVE) entries: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

Since the patches for Bash started being released last week, three new Bash vulnerabilities have been identified: – These are new since I sent out the email last week. If systems were patched on Friday, they are probably vulnerable now unless the new patches have been applied!

US Computer Emergency Readiness Team (US-CERT) Advisory: https://www.us-cert.gov/ncas/alerts/TA14-268A

Vulnerability Note VU#252743 GNU Bash shell executes commands in exported functions in environment variables: http://www.kb.cert.org/vuls/id/252743 – This is a very good article describing affected systems

NIST-National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187

Mitre Common Vulnerabilities and Exposures (CVE) entries: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

Shellshocker.net https://shellshocker.net/ – Another terrific resource for understanding and testing for the 5 vulnerabilities identified so far and instructions on patching a number of operating systems.

Additional articles and advisories from vendors:

Novell/SUSE SLES 11 is affected: https://www.novell.com/support/kb/doc.php?id=7015705

Updated Knowledgebase article listing vulnerabilities in VMware products: KB 2090740  – This list is long as VMware maintains dozens of Linux based virtual appliances.

Palo Alto Networks Security Advisory: https://securityadvisories.paloaltonetworks.com/Home/Detail/24