Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - vulnerability in bash
http://arstechnica.com/security/2014...ith-nix-in-it/
I have some older servers running and I have run the $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" So apt-get update and apt-get install bash but its already the newest and it clearly from a # dpkg-query -l|grep bash ii bash 4.1-3 The GNU Bourne Again SHell i am running a version that is vulnerable. What I am looking for is a deb package or a repository that has the bash 4.1-3+deb6u1 version of lts of squeeze bash that is fixed or how else am I do update this maybe I can just use a newer version and it will not effect anything else things are running good on these servers no need to change alot. thanks |
Hi,
it seems that the fix has only been released for wheezy so far. See: https://www.debian.org/security/2014/dsa-3032 I squeeze fix should be along soon. In the mean time as an extra precaution you can make /bin/sh point to something other than /bin/bash. Evo2. |
According to the RedHat release the vulnerability is very fresh and only patched versions of Bash are safe:
https://securityblog.redhat.com/2014...ection-attack/ I'm not sure if there is a safe Debian version ready yet. It's not in Squeeze nor Jessie, I've updated both earlier today. (but admittedly I may have missed any Bash updates in Jessie as that machine had 600+MB of updates to process) |
humm Mine seems to point to dash
in the /bin directory root root 4 Jan 10 2014 sh -> dash ~$ ls -lha /bin |grep sh -rwxr-xr-x 1 root root 994K Apr 16 17:23 bash -rwxr-xr-x 1 root root 115K Jan 10 2014 dash lrwxrwxrwx 1 root root 4 Apr 16 17:23 rbash -> bash lrwxrwxrwx 1 root root 4 Jan 10 2014 sh -> dash lrwxrwxrwx 1 root root 4 Mar 1 2012 sh.distrib -> dash ~$ dpkg-query -l|grep bash ii bash 4.3-7 amd64 GNU Bourne Again SHell ~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test ~$ but shows i am still vulnerable |
Hello
you will find the package here : ftp://ftp.fr.debian.org/debian/pool/...eb6u1_i386.deb bests Julien |
This bug only really matters if a person is running a server, right?
What was the deal with this bug? Something was taking over bash programs? I read this: http://web.nvd.nist.gov/view/vuln/de...=CVE-2014-6271 I still don't see what the issue is. Was the bug an issue if someone had a server port open, such as SSH? I did the apt-get update; apt-get upgrade. I also did the test, so I'm fine, I think. I disabled my SSH server when I had to deal with the moon-something mofo that got into the router; one of my old threads here. With this bug, could someone in a remote location access my user's BASH and open a firefox window with a particular weblink? It's always been a worry of mine that the terminal could be taken advantage of. I didn't know how, but I often considered that it could happen. |
Humm the ftp://ftp.fr.debian.org/debian/pool/...eb6u1_i386.deb is giving me a
Error: Response: 425 Failed to establish connection. I did manage to get the file if it becomes important but realized I am 64bit but will try on older servers I have. Unfortunately I have a feeling the /bin/sh links to korn and some others is not enough and I do not want to be part of the hype of rumors but from what I see I think there will be more detailed fixs soon. this might just be a quick fix the patches being released now. env X="() { :;} ; echo busted" /bin/sh -c "echo stuff" |
Quote:
http://seclists.org/oss-sec/2014/q3/650 There is already a worm being found based on the exploit: https://gist.github.com/anonymous/929d622f3b36b00c0be1 |
I am able to patch my debian 7 stuff but my squeeze servers I need a 64bit file and everything is telling me its all up-todate does someone have a deb repository for squeeze to patch bash.
|
|
thank you so much that did the trick for debian 6 and 7. Everyone check out that link. and add in the repos you need for your version and or follow what that link says.
Will be watching for updates But what do I do about Debian 5? Anyone have repositories with a patched bash I can use? |
Debian 5 is seriously obsolete, Bash is perhaps not the least but most certainly not the only issue! IMO, you should update those ASAP.
The patches outlined above did the trick for me too, on Jessie a new Bash package is available as well. |
ok for debian 5 Lenny I had to compile I have done 3 servers that I did in 2008 and it seems to work here is what I did you may need to sub in the version of bash you are using or check the server for the right directory or files.
#first find out the version you have so you know what to get for the patches and source files dpkg-query -l|grep bash ii bash 4.1-3 The GNU Bourne Again SHell #i am doing everything in the /usr/src dir cd /usr/src wget http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz tar zxvf bash-4.1.tar.gz cd bash-4.1 # download and apply all patches, including the latest one that patches CVE-2014-6271 #note if you are on say older version like 3.2 of bash I would use #for i in $(seq -f "%03g" 1 52); do since 3.2 has patches up to 52 for i in $(seq -f "%03g" 0 12); do wget -nv http://ftp.gnu.org/gnu/bash/bash-4.1-patches/bash41-$i patch -p0 < bash41-$i done # compile and install to /usr/local/bin/bash ./configure && make make install # point /bin/bash to the new binary mv /bin/bash /bin/bash.old ln -s /usr/local/bin/bash /bin/bash # test by comparing the output of the following env x='() { :;}; echo vulnerable' /bin/bash.old -c echo env x='() { :;}; echo vulnerable' bash -c echo #then get rid Delete the old one thats a problem rm /bin/bash.old I hope this helps othere folks |
The patches that are out fix check this for updates
for the package manager patches https://security-tracker.debian.org/...e-package/bash Will probably have to patch again as more comes out. This I can only guess is to keep some of the script kiddies away. If you run a webserver I know this is just some guy making a point but he got my server (209.126.*.* notsureprivacy why I did that) grep bash /var/log/apache2/access.log 209.126.*.* - - [24/Sep/2014:16:58:12 -0400] "GET / HTTP/1.0" 200 307 "() { :; }; ping -c 11 216.75.*.*" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)" 209.126.*.* - - [24/Sep/2014:18:49:15 -0400] "GET / HTTP/1.0" 200 307 "() { :; }; ping -c 11 209.126.*.*" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)" grep "\(?\s*_*\s*\)?\s*{|cgi" /var/log/apache2/access.log grep /bin /var/log/apache2/access.log 89.207.135.125 - - [25/Sep/2014:04:14:19 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 411 "-" "() { :;}; /bin/ping -c 1 198.101.206.138" 198.20.69.74 - - [25/Sep/2014:17:42:32 -0400] "GET / HTTP/1.1" 200 288 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69" anyone good at filters for fail2ban maybe we can make a filter that helps keep folks at bay |
Hello Charly78
I apologies for the link I gave you, it redirects to a french server and I'm not sure that you can access it from your location. you should be able to download the patches from aptitude or apt-get but if it doesn't, you can download them directly from the debian repository : using ftp client : ftp://ftp.debian.org navigate to /debian/pool/main/b/bash/ localize and download the file you need : bash_4.1-3+deb6u2_amd64.deb should suite for you. bests Julien |
All times are GMT -5. The time now is 04:57 AM. |