Major security alert: bash shell bug can pwn your box

Due to overwhelming demand, we have created a forum just dedicated to Toughbook users who use Linux!
Message
Author
User avatar
kode-niner
Posts: 700
Joined: Sat Jun 07, 2014 7:39 am
Location: Canada

Major security alert: bash shell bug can pwn your box

#1 Post by kode-niner »

I've been patching servers left and right since yesterday. This can also affect desktop systems so look for bash upgrades from your respective repos.

http://web.nvd.nist.gov/view/vuln/detai ... -2014-6271



Quoted form redhat.com:
Diagnostic Steps
To test if your version of Bash is vulnerable to this issue, run the following command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output of the above command looks as follows:

vulnerable
this is a test

you are using a vulnerable version of Bash.
If you don't have a bash upgrade available and you need to patch it quickly, try this:
https://access.redhat.com/articles/1200223
However this patch might be incomplete.

You know who to ask if you need help. ;)
Daily drives a CF-31

User avatar
mklym
Posts: 907
Joined: Fri Feb 22, 2013 3:10 pm
Location: Edmonton, Alberta

Re: Major security alert: bash shell bug can pwn your box

#2 Post by mklym »

Here is some more info. I got the notice this morning, but this is the first time I had a chance to check me email.

Code: Select all

National Cyber Awareness System:
TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)
09/25/2014 12:56 PM EDT

Original release date: September 25, 2014
Systems Affected

    GNU Bash through 4.3.
    Linux, BSD, and UNIX distributions including but not limited to:
        CentOS 5 through 7
        Debian
        Mac OS X
        Red Hat Enterprise Linux 4 through 7
        Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS

Overview

A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system [1]. The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability.
Description

GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. [2, 3]

Critical instances where the vulnerability may be exposed include: [4, 5]

    Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn subshells.
    Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities.
    Allow arbitrary commands to run on a DHCP client machine, various Daemons and SUID/privileged programs.
    Exploit servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

Impact

This vulnerability is classified by industry standards as “High” impact with CVSS Impact Subscore 10 and “Low” on complexity, which means it takes little skill to perform. This flaw allows attackers to provide specially crafted environment variables containing arbitrary commands that can be executed on vulnerable systems. It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways.
Solution

Patches have been released to fix this vulnerability by major Linux vendors for affected versions. Solutions for CVE-2014-6271 do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-7169.

Many UNIX-like operating systems, including Linux distributions, BSD variants, and Apple Mac OS X include Bash and are likely to be affected. Contact your vendor for updated information. A list of vendors can be found in CERT Vulnerability Note VU#252743 [6].

US-CERT recommends system administrators review the vendor patches and the NIST Vulnerability Summary for CVE-2014-7169, to mitigate damage caused by the exploit.
References

    Ars Technica, Bug in Bash shell creates big security hole on anything with *nix in it;
    DHS NCSD; Vulnerability Summary for CVE-2014-6271
    DHS NCSD; Vulnerability Summary for CVE-2014-7169
    Red Hat, CVE-2014-6271
    Red Hat, Bash specially-crafted environment variables code injection attack
    CERT Vulnerability Note VU#252743

Revision History

    September 25, 2014 - Initial Release
CF-29LTQ,CF-31SBM,CF-52youngGUN,

Life's Journey is not to arrive safely at the grave in a well preserved body, but rather to skid in sideways totally worn-out shouting 'Woo Hoo! What a ride!

Motorsports - the only real sport. If it doesn't have a motor, it is just a game.

There is always something waiting at the end of the road, if you are not willing to see what it is, you probably shouldn't be out there in the first place.

UNCNDL1
Posts: 509
Joined: Wed Nov 16, 2011 8:01 pm
Location: New England

Re: Major security alert: bash shell bug can pwn your box

#3 Post by UNCNDL1 »

Thanks for the heads up. Now I know what my manager at work was talking about earlier, these alerts came through the hospital i.t. department and e-mails were sent out to management.
CF-53 MX-Linux 21 Wildflower
CF-30 MK2 SSD MX-21 Betsy, MK2 Navigatrix, Fundraiser for TbT
CF-52 GUN SSD MX-19
(NICE) Thanks Sadlmkr
CF-M34 MicroWattR8 Thanks Sadlmkr
CF-M33 MicroWattR8 Thanks Springfield

User avatar
SHEEPMAN!
Posts: 2239
Joined: Thu Oct 14, 2010 1:13 pm
Location: TDR-HQ California

Re: Major security alert: bash shell bug can pwn your box

#4 Post by SHEEPMAN! »

To ease the pressure a little...I ran updates for Mint 17 and the fix was in. :)
THE STEPS:
1. I tried the code from kode. Bash was vulnerable.
2. Ran the updates from Mint 17 package.
3. Tried the code from kode and bash was fixed.

FWIW

Code: Select all

cc@CF-30CCS85BM ~ $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
cc@CF-30CCS85BM ~ $ 
Fair for you/ Fair for me.
I chose to NOT be organized.

-------------------------------------------------------------------[/color]
http://toughbooktalk.com/
http://forum.notebookreview.com/panasonic/

UNCNDL1
Posts: 509
Joined: Wed Nov 16, 2011 8:01 pm
Location: New England

Re: Major security alert: bash shell bug can pwn your box

#5 Post by UNCNDL1 »

Home on the 52GUN, ran the code:
gun@gun:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
gun@gun:~$
Whew! :doh:
CF-53 MX-Linux 21 Wildflower
CF-30 MK2 SSD MX-21 Betsy, MK2 Navigatrix, Fundraiser for TbT
CF-52 GUN SSD MX-19
(NICE) Thanks Sadlmkr
CF-M34 MicroWattR8 Thanks Sadlmkr
CF-M33 MicroWattR8 Thanks Springfield

User avatar
kode-niner
Posts: 700
Joined: Sat Jun 07, 2014 7:39 am
Location: Canada

Re: Major security alert: bash shell bug can pwn your box

#6 Post by kode-niner »

Well that was fun. Some servers needed an upgrade, other older ones had to be patched. I heard someone already created a botnet from exploiting this.
Daily drives a CF-31

User avatar
SHEEPMAN!
Posts: 2239
Joined: Thu Oct 14, 2010 1:13 pm
Location: TDR-HQ California

Re: Major security alert: bash shell bug can pwn your box

#7 Post by SHEEPMAN! »

So where do I find a patch (understandable) for Mint 15? :confused:

Did you get the tracking number? "Customs Clearance Complete" end edit :salute:
Fair for you/ Fair for me.
I chose to NOT be organized.

-------------------------------------------------------------------[/color]
http://toughbooktalk.com/
http://forum.notebookreview.com/panasonic/

User avatar
kode-niner
Posts: 700
Joined: Sat Jun 07, 2014 7:39 am
Location: Canada

Re: Major security alert: bash shell bug can pwn your box

#8 Post by kode-niner »

Yeah I'm tracking it! Would have been great to help you answer this question. Is support for Mint 15 dead and they're not putting up an updated version of bash on their repos? Or does Mint have a separate security or volatile repo you have to add to get updates? They might spare you the fun of having to compile your own. ;) Otherwise I'm not sure if bash on the Debian branch can use the dev's patches.

The latest bash on Debian stable after yesterday's second patch is 4.2+dfsg-0.1+deb7u3 and they're running 4.3-9.2 on unstable.
Daily drives a CF-31

User avatar
mklym
Posts: 907
Joined: Fri Feb 22, 2013 3:10 pm
Location: Edmonton, Alberta

Re: Major security alert: bash shell bug can pwn your box

#9 Post by mklym »

This is from the Mint forum, in a thread called "BASH vulnerability a.k.a. 'Shellshock'".

Summary of need to know information:

Linux Mint 13 has been fully patched: just install level 3 updates from Update Manager to get bash update 4.2-2ubuntu2.3 (changelog).
This fixes both CVE 2014-6271 and CVE-2014-7169.
Linux Mint 17 has been fully patched: just install level 3 updates from Update Manager to get bash update 4.3-7ubuntu1.3 (changelog).
This fixes both CVE 2014-6271 and CVE-2014-7169.
Other versions of Linux Mint are obsolete and do not receive security updates!!! Either patch bash manually, or install Linux Mint 13 or 17. More information: http://forums.linuxmint.com/viewtopic.php?t=173378
LMDE is not yet patched, but you can get a patched version of bash from Debian sid. See this post: http://forums.linuxmint.com/viewtopic.p ... 60#p928236

The bash vulnerability primarily affects users running server software (e.g., Apache web server) that is reachable from the Internet. As home users not running any server software that is reachable from the Internet, this bash vulnerability doesn't immediately affect you.

http://forums.linuxmint.com/viewtopic.php?f=42&t=179002

Going to install Mint17 on the CF-29MK4 today.
CF-29LTQ,CF-31SBM,CF-52youngGUN,

Life's Journey is not to arrive safely at the grave in a well preserved body, but rather to skid in sideways totally worn-out shouting 'Woo Hoo! What a ride!

Motorsports - the only real sport. If it doesn't have a motor, it is just a game.

There is always something waiting at the end of the road, if you are not willing to see what it is, you probably shouldn't be out there in the first place.

User avatar
SHEEPMAN!
Posts: 2239
Joined: Thu Oct 14, 2010 1:13 pm
Location: TDR-HQ California

Re: Major security alert: bash shell bug can pwn your box

#10 Post by SHEEPMAN! »

kode-niner wrote:Yeah I'm tracking it! Would have been great to help you answer this question. Is support for Mint 15 dead and they're not putting up an updated version of bash on their repos? Or does Mint have a separate security or volatile repo you have to add to get updates? They might spare you the fun of having to compile your own. ;) Otherwise I'm not sure if bash on the Debian branch can use the dev's patches.

The latest bash on Debian stable after yesterday's second patch is 4.2+dfsg-0.1+deb7u3 and they're running 4.3-9.2 on unstable.
Support is dead???or in the archives???

Thanks Morgan for the quote there. Your phone the same?

I'll make a decision later....maybe I'll wait until ol' koder there fixes the infamous flicker.....then upgrade....:D I hate to be forced to upgrade.....what is this M$?
Fair for you/ Fair for me.
I chose to NOT be organized.

-------------------------------------------------------------------[/color]
http://toughbooktalk.com/
http://forum.notebookreview.com/panasonic/

Post Reply

Return to “The LINUX forum!!!”