Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - rated 10 !
http://web.nvd.nist.gov/view/vuln/de...=CVE-2014-6271
Worse than Heartbleed due to the number of exposed systems some claim. |
Bash Remote Code Execution Vulnerability (Shellshock)
Ok, so this news got me this morning. Basically, it says bash can be exploited to gain control of the shell.
From what I have gathered to far, the following can be used to test if your machine is vulnerable: Code:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" CentOS update Refs: CERT GNU Can anyone please share what they know about this bug? |
i run all upgrades on my ubuntu but according to test it is still vulnerable.
|
Hi,
Quote:
Evo2. |
For this bug to be exploitable from remote, you need to have a bash script that can be run from remote. A cgi script using bash is vulnerable. Fortunatly, the default shell is usually not bash anymore, and bash cgi scripts are not common.
I worry more about embedded systems with web interfaces. |
Shellshock Patching RHEL
$ env var='() { ignore this;}; echo vulnerable' bash -c /bin/true
My servers are RHEL 6. If the bash is vulnerable, should I A) download the latest patched bash rpm and install it ? B) or can I safely yum upgrade ONLY the patched bash package ? I do not want to update/upgrade anything other than bash. C) Some sources say a reboot is required, some say a ldconfig will suffice. Does option A or B require a reboot or an ldconfig only ? |
First determine if you're affected. Do you have restricted users connecting via public key auth forced to execute a script rather than be dropped into a shell? If not then this vulnerability doesn't affect you much.
If so first update and determine if it has already been fixed. Code:
# https://access.redhat.com/node/1207723 |
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Shell shock patching?
This has not been updated since yesterday, so realize that there is more information out there about the bug, and more fixes and patches now. Go seek them.
This is a good starting point, but IT IS NOT an exhaustive resource. Vulnerability: Shell shock - Bash Bug - Bash Attack CVE http://web.nvd.nist.gov/view/vuln/de...=CVE-2014-6271 Breakdown: Quote:
The bug can currently be exploited through externally facing WEB servers as well as anything that listens to the world at large and sends variable info to bash. Current 0-day's include vuln scanning for Cpanel and other well known CGI scripts on the net. The CURRENT primary attack vector is old CGI scripts. http://seclists.org/oss-sec/2014/q3/650 There is already a worm being found based on the exploit: https://gist.github.com/anonymous/929d622f3b36b00c0be1 As of last night there is a metasploit module to exploit the bug (brace yourselves for the script kiddies): https://github.com/rapid7/metasploit...faf4c0d6912575 Additional info: https://community.rapid7.com/communi...-cve-2014-6271 https://securityblog.redhat.com/2014...ection-attack/ http://lcamtuf.blogspot.com/2014/09/...ts-impact.html http://www.smittix.co.uk/fedora-20-u...cve-2014-6271/ http://arstechnica.com/security/2014...ith-nix-in-it/ https://access.redhat.com/articles/1200223 Options:
Patches: MANUAL Patch for Debian 6: Code:
# check to ensure vulnerable MANUAL Patch for Debian 7: Code:
# check to ensure vulnerable Code:
# check vulnerability Code:
#The following mod_security rules can be used to reject HTTP requests containing data that may be interpreted by Bash as function #definition if set in its environment. They can be used to block attacks against web services, such as attacks against CGI #applications # check, if 'vulnerable' appears, then you are vulnerable Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test" Code:
rpm -q --changelog bash | head |
I do have a system with a web interface that runs a bash script, however the user on the web page has no control over the bash script that's run, arguments to it, environment variables that might be in place, etc. They just click a button and internally a bash script is called.
I can't imagine this would be susceptible since the user can't set any environment variables on the system before/during/after the script is called, but I would just like some confirmation. |
Quote:
|
No.
This "mainly" has to do with CGI scripts that call bash. Of course, there are an indefinite number of other ways as well. Remediation Steps 1 and 2 currently is to:
And keep your ears open for any other attack vectors released, and patch those as well. I'm doing my best to update my post about it here: http://www.linuxquestions.org/questi...3/#post5244106 |
Re: Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Shell shock patching?
I support Sticky for this topic.
|
If you have a bash script in cgi-bin, you are vulnerable.
http://security.stackexchange.com/qu...d-be-exploited Bottom comment shows an example. You don't need to login, and there is nothing the bash script can do to prevent it. |
rhel 5.8 bash patching
rpm -qa |grep bash says RHEL 5.8 bash-3.2-32.el5
yum update bash will upgrade bash to 3.2-33. << Pretty sure this is not a patched bash. ================================================================================== Package Arch Version Repository Size ================================================================================== Updating: bash x86_64 3.2-33.el5.1 rhel-x86_64-server-5 1.8 M |
Quote:
Code:
x='() { :;}; echo you are Vulnerable>/tmp/bashbug.out' bash -c "cat /tmp/bashbug.out || echo You are PATCHED" |
That looks like the patched version (3.2-33.el5.1)
https://rhn.redhat.com/errata/RHSA-2014-1293.html Once installed you can read about the patch with: Code:
rpm -q --changelog bash | head |
Alright then I'm pretty sure mine are fine, the shell scripts are run using exec in mod_php, no cgi is involved, so as far as I understand it an attacker has no way of passing an environment variable through to the shell.
|
Correct:
Quote:
|
Re: Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Shell shock patching?
I've posted a note to the Linux - News forum (and a couple other places). A sticky in Linux - Security may be in order, but I'm not sure a site wide notice is needed at this time.
--jeremy |
What I don't get is why the the bash developers EVER thought it would be a remotely good/safe idea to pull in function declarations from environment variables in the first place.
Even after this bug is fixed (which apparently it isn't yet), this is still a vulnerability in bash IMO. Take the following code, running on a patched system, setting an environment variable to replace a standard Linux command with custom code: Code:
$ env ls='() { echo this is a fake ls; }' bash -c "ls" Code:
$ ls edit: apparently cgi prefixes any environment variables before setting them for the shell, so it's not as bad as I had feared. I still don't like the notion of cgi setting http headers as environment variables, and then bash turning environment variables into functions though. |
ShellShock
my centOS 6 repos dont even show the fix as available, what gives?
can we wrap bash to mitigate the issue ? |
Quote:
i am wondering why the repos dont have the fixed package yet. |
Quote:
|
Quote:
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025 It's not complete, but it takes care of the primary vulnerability. Even once bash is fixed completely, attackers will still be able to define custom functions in any resulting bash shell by manipulating the environment though, which makes me uneasy. |
Quote:
the link shows c files from 12Sep and 14Sep, looks like it wasnt fixed yet at that time, or am i missing something? thus we are still waiting on a fix to handle the complete issue? |
CentOS back-ports security updates. So even though the bash version is "vulnerable" according to the reports, the shellshock fix has been back-ported to take care of the problem.
If you run Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test" This vulnerability still hasn't been fixed though: Code:
env X='() { (a)=>\' bash -c "echo date"; cat echo |
oddly, bash-4.1.2-15.el6_5.1.i686 is listed in my CentOS repo but not as a security fix !! yum check-update --security , no packages available.
but bash-4.1.2-15.el6_5.1.i686 is listed on RH site as vulnerable, so i guess the fix was bad and we are still waiting ?? |
4.1.2-15.el6_5.1 does have the fix for vulnerability #1, that's the version installed on my CentOS 6.5 systems:
Code:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" |
Quote:
|
Quote:
the 2nd command, i get X syntax error, error importing function, etc perhaps you have the two backwards ?? verified with rpm -qf /bin/bash |
The first patch rushed out to fix this was incomplete and I suspect RHEL paying customers are in line ahead of CentOS to get the second one. Here is the article:
https://securityblog.redhat.com/2014...ection-attack/ https://access.redhat.com/articles/1200223 |
That's what it's supposed to do. A broken system would print
Code:
vulnerable Code:
bash: warning: x: ignoring function definition attempt |
Quote:
Safe travels. |
http://forums.linuxmint.com/viewtopic.php?f=47&t=178935
Mint 13 and 17 as well as LMDE are all patched now. Not that bash is used by default in any of the versions! |
Re: Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Shell shock patching?
Thanks for this thread.
Great collection of links. Clear, concise details for dealing with the issue. Most of all there is no silly dramatics. |
Re: Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Shell shock patching?
Thanks for the squeeze-lts packages, very much appreciated.
Cheers,[COLOR="Silver"] |
Re: Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Shell shock patching?
Try all three of these tests before you think you're fixed:
env X='() { :;}; echo' /bin/cat /etc/passwd; echo 'Welcome to he Simple ShellShock Tester By Svieg';echo 'Your infos are at risk'; env x='() { :;}; echo Your system is vulnerable update ASAP' bash -c "echo Visit svieg.wordpress.com for update info" env X='() { (a)=>\' bash -c "echo date" The standard env test listed is not the only variable that needs to be patched! although this thread helped patch one problem there are still more : Quote:
|
Quote:
How do I find out if my system is patched or not? How likely is this to affect me? Thanks :) |
Update for other non-computer people. I found this thread here: http://forums.linuxmint.com/viewtopi...928313#p928313
This is what I did which might possibly fix the problem within LMDE (Linux Mint Debian Edition): Menu -> Update Manager -> Edit -> Software Sources -> Additonal Repositories -> Add New Repository -> Enter the follow text Code:
deb http://ftp.debian.org/debian sid main contrib non-free Code:
sudo apt-get install bash Do not just "apt-get upgrade" as people are reporting this breaks their system. Once installed, remove the repository that you added within Update Manager. I sincerely hope if this is wrong that someone corrects me shortly.. |
Re: Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Shell shock patching?
I just run the MANUAL Patch for Debian 6 and now when I get
env x='() { :;}; echo vulnerable' bash -c "echo this is a test" this is a test so it appears to be fixed however my bash version still shows GNU bash, version 4.1.5(1)-release (i486-pc-linux-gnu) |
You can always do it by the source and patch using the latest patches
#check what you have for a version and sub in place of the 4.3 or 43 dpkg-query -l|grep bash cd /usr/src wget ftp://ftp.cwru.edu/pub/bash/bash-4.3.tar.gz tar zxvf bash-4.3.tar.gz cd bash-4.3 # download and apply all patches, including the latest one that patches # note the 0 to 12 should be changed to the patches so if there are 0 to 59 patches you should have 0 59 for i in $(seq -f "%03g" 0 12); do wget -nv ftp://ftp.cwru.edu/pub/bash/bash-4.3-patches/bash43-$i patch -p0 < bash43-$i done # compile and install to /usr/local/bin/bash ./configure && make && make install # point /bin/bash to the new binary mv /bin/bash /bin/bash.old ln -s /usr/local/bin/bash /bin/bash # test by comparing the output of the following env x='() { :;}; echo vulnerable' /bin/bash.old -c echo env x='() { :;}; echo vulnerable' bash -c echo #get rid of the problem bash file rm /bin/bash.old |
Look on the Mint Forums site for details about Mint. Here, I've patched you through to the part talking about Bash Shellshock - http://forums.linuxmint.com/viewtopi...f=198&t=179002
|
Are shells other than bash also affected by this?
|
CentOS now is fully patched
Code:
# rpm -qi bash |
I'm on debian: SID atm. And when i try the command:
Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test" However. I can only see the part where it echo's "this is a test". If the bash shell is patched it should give this error. bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test But it doesn't! I have updated bash to latest version. Anyone have a clue? |
Quote:
|
Yes
|
Quote:
|
Hi all, I just want to clarify, only bash is affected, right? and not ksh, tcsh and zsh?
|
Quote:
Code:
this is a test Btw: I'm using debian: Sid |
All times are GMT -5. The time now is 09:19 PM. |