Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
For this bug to be exploitable from remote, you need to have a bash script that can be run from remote. A cgi script using bash is vulnerable. Fortunatly, the default shell is usually not bash anymore, and bash cgi scripts are not common.
I worry more about embedded systems with web interfaces.
First determine if you're affected. Do you have restricted users connecting via public key auth forced to execute a script rather than be dropped into a shell? If not then this vulnerability doesn't affect you much.
If so first update and determine if it has already been fixed.
This has not been updated since yesterday, so realize that there is more information out there about the bug, and more fixes and patches now. Go seek them.
This is a good starting point, but IT IS NOT an exhaustive resource.
The vulnerability is caused by the ability to create environment variables with values before calling the bash shell. The variables that are passed can contain code, which are executed before the shell is actually invoked. The vulnerability is then exposed in the ability to add extra code to the end of these functions.
More info:
The bug can currently be exploited through externally facing WEB servers as well as anything that listens to the world at large and sends variable info to bash. Current 0-day's include vuln scanning for Cpanel and other well known CGI scripts on the net.
The CURRENT primary attack vector is old CGI scripts.
# check to ensure vulnerable
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
# make sure you are on debian 6
cat /etc/issue
# add the LTS sec repo
echo "#LTS security" >> /etc/apt/sources.list
echo "deb http://http.debian.net/debian/ squeeze-lts main contrib non-free" >> /etc/apt/sources.list
echo "deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free" >> /etc/apt/sources.list
# update and install patched bash
apt-get update
apt-get install bash
# run a new shell
bash
# check patch success
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
MANUAL Patch for Debian 7:
Code:
# check to ensure vulnerable
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
# make sure you are on debian 7
cat /etc/issue
# update and install patched bash
apt-get update
apt-get install bash
# run a new shell
bash
# check patch success
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
MANUAL patch for Centos 6/7
Code:
# check vulnerability
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
yum -y install bash
or
yum -y update
# check patch success
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
#The following mod_security rules can be used to reject HTTP requests containing data that may be interpreted by Bash as function #definition if set in its environment. They can be used to block attacks against web services, such as attacks against CGI #applications
#Request Header values:
SecRule REQUEST_HEADERS "^\(\) {" "phase:1,deny,id:1000000,t:urlDecode,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
#SERVER_PROTOCOL values:
SecRule REQUEST_LINE "\(\) {" "phase:1,deny,id:1000001,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
#GET/POST names:
SecRule ARGS_NAMES "^\(\) {" "phase:2,deny,id:1000002,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
#GET/POST values:
SecRule ARGS "^\(\) {" "phase:2,deny,id:1000003,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
#File names for uploads:
SecRule FILES_NAMES "^\(\) {" "phase:2,deny,id:1000004,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
#These may result in false positives but it's unlikely, and they can log them and keep an eye on it. You may also want to avoid #logging as this could result in a significant amount of log files.
tests:
# check, if 'vulnerable' appears, then you are vulnerable
Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
# rpm based systems
Code:
rpm -q --changelog bash | head
# if you are running a patched version, you should see this:
* Mon Sep 15 2014 Ondrej Oprala <ooprala@redhat.com - 4.1.2-15.1
- Check for fishy environment
Resolves: #1141645
Last edited by szboardstretcher; 09-26-2014 at 10:02 AM.
I do have a system with a web interface that runs a bash script, however the user on the web page has no control over the bash script that's run, arguments to it, environment variables that might be in place, etc. They just click a button and internally a bash script is called.
I can't imagine this would be susceptible since the user can't set any environment variables on the system before/during/after the script is called, but I would just like some confirmation.
Bottom comment shows an example. You don't need to login, and there is nothing the bash script can do to prevent it.
Wait, I thought only bash is vulnerable. One comment says ksh is also vulnerable. I tested my Unix machine, AIX 6.1, and it doesn't look infected using this testing string:
Code:
x='() { :;}; echo you are Vulnerable>/tmp/bashbug.out' bash -c "cat /tmp/bashbug.out || echo You are PATCHED"
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.