LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-24-2014, 07:52 PM   #1
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 18,144

Rep: Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - rated 10 !


http://web.nvd.nist.gov/view/vuln/de...=CVE-2014-6271

Worse than Heartbleed due to the number of exposed systems some claim.
 
Old 09-25-2014, 01:39 AM   #2
ilesterg
Member
 
Registered: Jul 2012
Location: Kuala Lumpur
Distribution: Debian, CentOS/RHEL
Posts: 582

Rep: Reputation: 61
Bash Remote Code Execution Vulnerability (Shellshock)

Ok, so this news got me this morning. Basically, it says bash can be exploited to gain control of the shell.

From what I have gathered to far, the following can be used to test if your machine is vulnerable:
Code:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
CentOS has immediately released a patch solve this issue.

CentOS update

Refs:
CERT
GNU

Can anyone please share what they know about this bug?
 
Old 09-25-2014, 03:25 AM   #3
yooy
Senior Member
 
Registered: Dec 2009
Posts: 1,387

Rep: Reputation: 173Reputation: 173
i run all upgrades on my ubuntu but according to test it is still vulnerable.
 
Old 09-25-2014, 03:34 AM   #4
evo2
LQ Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and CentOS
Posts: 6,009

Rep: Reputation: 1391Reputation: 1391Reputation: 1391Reputation: 1391Reputation: 1391Reputation: 1391Reputation: 1391Reputation: 1391Reputation: 1391Reputation: 1391
Hi,

Quote:
Originally Posted by yooy View Post
i run all upgrades on my ubuntu but according to test it is still vulnerable.
The Ubuntu Security Notice USN-2362-1 indicates they have fixes for the LTS releases.

Evo2.
 
Old 09-25-2014, 03:49 AM   #5
Guttorm
Senior Member
 
Registered: Dec 2003
Location: Trondheim, Norway
Distribution: Debian and Ubuntu
Posts: 1,334

Rep: Reputation: 362Reputation: 362Reputation: 362Reputation: 362
For this bug to be exploitable from remote, you need to have a bash script that can be run from remote. A cgi script using bash is vulnerable. Fortunatly, the default shell is usually not bash anymore, and bash cgi scripts are not common.

I worry more about embedded systems with web interfaces.
 
Old 09-25-2014, 07:22 AM   #6
tux100
LQ Newbie
 
Registered: Aug 2014
Posts: 22

Rep: Reputation: Disabled
Shellshock Patching RHEL

$ env var='() { ignore this;}; echo vulnerable' bash -c /bin/true

My servers are RHEL 6.

If the bash is vulnerable, should I

A) download the latest patched bash rpm and install it ?

B) or can I safely yum upgrade ONLY the patched bash package ?
I do not want to update/upgrade anything other than bash.

C) Some sources say a reboot is required, some say a ldconfig will suffice. Does option A or B require a reboot or an ldconfig only ?

Last edited by tux100; 09-25-2014 at 07:26 AM.
 
Old 09-25-2014, 07:47 AM   #7
sag47
Senior Member
 
Registered: Sep 2009
Location: Orange County, CA
Distribution: Kubuntu x64, Raspbian, CentOS
Posts: 1,860
Blog Entries: 36

Rep: Reputation: 458Reputation: 458Reputation: 458Reputation: 458Reputation: 458
First determine if you're affected. Do you have restricted users connecting via public key auth forced to execute a script rather than be dropped into a shell? If not then this vulnerability doesn't affect you much.

If so first update and determine if it has already been fixed.

Code:
# https://access.redhat.com/node/1207723
sudo yum update bash
sudo /sbin/ldconfig
rpm -q --changelog bash | grep CVE-2014-6271
If you can't do that then switch the shell of the user away from bash to csh, ksh, or zsh.
 
Old 09-25-2014, 09:35 AM   #8
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,237

Rep: Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Shell shock patching?

This has not been updated since yesterday, so realize that there is more information out there about the bug, and more fixes and patches now. Go seek them.

This is a good starting point, but IT IS NOT an exhaustive resource.

Vulnerability:
Shell shock - Bash Bug - Bash Attack

CVE
http://web.nvd.nist.gov/view/vuln/de...=CVE-2014-6271

Breakdown:
Quote:
The vulnerability is caused by the ability to create environment variables with values before calling the bash shell. The variables that are passed can contain code, which are executed before the shell is actually invoked. The vulnerability is then exposed in the ability to add extra code to the end of these functions.
More info:
The bug can currently be exploited through externally facing WEB servers as well as anything that listens to the world at large and sends variable info to bash. Current 0-day's include vuln scanning for Cpanel and other well known CGI scripts on the net.

The CURRENT primary attack vector is old CGI scripts.

http://seclists.org/oss-sec/2014/q3/650

There is already a worm being found based on the exploit:
https://gist.github.com/anonymous/929d622f3b36b00c0be1

As of last night there is a metasploit module to exploit the bug (brace yourselves for the script kiddies):
https://github.com/rapid7/metasploit...faf4c0d6912575

Additional info:
https://community.rapid7.com/communi...-cve-2014-6271
https://securityblog.redhat.com/2014...ection-attack/
http://lcamtuf.blogspot.com/2014/09/...ts-impact.html
http://www.smittix.co.uk/fedora-20-u...cve-2014-6271/
http://arstechnica.com/security/2014...ith-nix-in-it/
https://access.redhat.com/articles/1200223

Options:
  • Upgrade BASH to a patched version
  • Use a different shell than BASH
  • Disable mod_cgi
  • Use rules to block nefarious requests

Patches:
MANUAL Patch for Debian 6:
Code:
# check to ensure vulnerable
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
# make sure you are on debian 6
cat /etc/issue

# add the LTS sec repo
echo "#LTS security" >> /etc/apt/sources.list
echo "deb http://http.debian.net/debian/ squeeze-lts main contrib non-free" >> /etc/apt/sources.list
echo "deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free" >> /etc/apt/sources.list

# update and install patched bash
apt-get update
apt-get install bash

# run a new shell
bash
# check patch success
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

MANUAL Patch for Debian 7:
Code:
# check to ensure vulnerable
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
# make sure you are on debian 7
cat /etc/issue

# update and install patched bash
apt-get update
apt-get install bash

# run a new shell
bash
# check patch success
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
MANUAL patch for Centos 6/7
Code:
# check vulnerability
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

yum -y install bash
or 
yum -y update

# check patch success
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Red Hat mod_security rules: (https://access.redhat.com/articles/1200223)
Code:
#The following mod_security rules can be used to reject HTTP requests containing data that may be interpreted by Bash as function #definition if set in its environment. They can be used to block attacks against web services, such as attacks against CGI #applications

#Request Header values:
SecRule REQUEST_HEADERS "^\(\) {" "phase:1,deny,id:1000000,t:urlDecode,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
#SERVER_PROTOCOL values:
SecRule REQUEST_LINE "\(\) {" "phase:1,deny,id:1000001,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
#GET/POST names:
SecRule ARGS_NAMES "^\(\) {" "phase:2,deny,id:1000002,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
#GET/POST values:
SecRule ARGS "^\(\) {" "phase:2,deny,id:1000003,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
#File names for uploads:
SecRule  FILES_NAMES "^\(\) {"  "phase:2,deny,id:1000004,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271  - Bash Attack'"

#These may result in false positives but it's unlikely, and they can log them and keep an eye on it. You may also want to avoid #logging as this could result in a significant amount of log files.
tests:
# check, if 'vulnerable' appears, then you are vulnerable
Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
# rpm based systems
Code:
rpm -q --changelog bash | head
 # if you are running a patched version, you should see this:
 * Mon Sep 15 2014 Ondrej Oprala <ooprala@redhat.com - 4.1.2-15.1
 - Check for fishy environment
   Resolves: #1141645

Last edited by szboardstretcher; 09-26-2014 at 10:02 AM.
 
Old 09-25-2014, 10:15 AM   #9
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134
I do have a system with a web interface that runs a bash script, however the user on the web page has no control over the bash script that's run, arguments to it, environment variables that might be in place, etc. They just click a button and internally a bash script is called.

I can't imagine this would be susceptible since the user can't set any environment variables on the system before/during/after the script is called, but I would just like some confirmation.
 
Old 09-25-2014, 10:49 AM   #10
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by Guttorm View Post
For this bug to be exploitable from remote, you need to have a bash script that can be run from remote.
Doesn't that require a login to the system?
 
Old 09-25-2014, 10:57 AM   #11
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,237

Rep: Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651
No.

This "mainly" has to do with CGI scripts that call bash.

Of course, there are an indefinite number of other ways as well.

Remediation Steps 1 and 2 currently is to:
  • Update bash to a patched version
  • Disable mod_cgi if you can

And keep your ears open for any other attack vectors released, and patch those as well. I'm doing my best to update my post about it here: http://www.linuxquestions.org/questi...3/#post5244106

Last edited by szboardstretcher; 09-25-2014 at 11:00 AM.
 
1 members found this post helpful.
Old 09-25-2014, 11:06 AM   #12
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Re: Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Shell shock patching?

I support Sticky for this topic.

Last edited by unSpawn; 09-27-2014 at 10:52 AM. Reason: //Pre-merge subject linking
 
Old 09-25-2014, 11:23 AM   #13
Guttorm
Senior Member
 
Registered: Dec 2003
Location: Trondheim, Norway
Distribution: Debian and Ubuntu
Posts: 1,334

Rep: Reputation: 362Reputation: 362Reputation: 362Reputation: 362
If you have a bash script in cgi-bin, you are vulnerable.

http://security.stackexchange.com/qu...d-be-exploited

Bottom comment shows an example. You don't need to login, and there is nothing the bash script can do to prevent it.
 
Old 09-25-2014, 11:39 AM   #14
tux100
LQ Newbie
 
Registered: Aug 2014
Posts: 22

Rep: Reputation: Disabled
rhel 5.8 bash patching

rpm -qa |grep bash says RHEL 5.8 bash-3.2-32.el5

yum update bash will upgrade bash to 3.2-33. << Pretty sure this is not a patched bash.

==================================================================================
Package Arch Version Repository Size
==================================================================================
Updating:
bash x86_64 3.2-33.el5.1 rhel-x86_64-server-5 1.8 M
 
Old 09-25-2014, 11:50 AM   #15
ilesterg
Member
 
Registered: Jul 2012
Location: Kuala Lumpur
Distribution: Debian, CentOS/RHEL
Posts: 582

Rep: Reputation: 61
Quote:
Originally Posted by Guttorm View Post
If you have a bash script in cgi-bin, you are vulnerable.

http://security.stackexchange.com/qu...d-be-exploited

Bottom comment shows an example. You don't need to login, and there is nothing the bash script can do to prevent it.
Wait, I thought only bash is vulnerable. One comment says ksh is also vulnerable. I tested my Unix machine, AIX 6.1, and it doesn't look infected using this testing string:
Code:
x='() { :;}; echo you are Vulnerable>/tmp/bashbug.out' bash -c "cat /tmp/bashbug.out || echo You are PATCHED"
 
  


Reply

Tags
bash, vulnerability


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Shellshock update: bash packages that resolve CVE-2014-6271 and CVE-2014-7169 available LXer Syndicated Linux News 1 09-26-2014 01:43 PM
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - legacy system patch help Diggy Linux - Security 3 09-26-2014 01:06 PM
LXer: Flaw CVE-2014-6271 discovered in the Bash shell — update your Fedora systems LXer Syndicated Linux News 0 09-25-2014 04:41 AM
[SOLVED] CVE-2014-0224 vulnerability joraymasalvan Linux - Newbie 3 06-18-2014 08:26 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration