US-CERT has posted a warning of an exploit affecting the use of the Bash shell.

See https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability

See http://www.smh.com.au/it-pro/security-it/shell-shock-bash-bug-labelled-largest-ever-to-hit-the-internet-20140925-10ltx1.html

Linux, UNIX and Mac OS X users should upload fixes for their respective
operating systems.

At the time of posting, Apple have yet to make an announcement nor provide a fix.

Fixes are now available for all major Linux distributions.

Thanks for the heads up, Gary!

Note that the first round of patches may not fully solve the problem -allegedly. There's probably going to be another round to come sometime.

Interesting. I only got my US-CERT notification this morning.

Picked up the bash-018 patch (the relevant one for me) last night and recompiled.

Cygwin doesn't seem to have released an updated bash yet.

Oracle's had a placeholder for the CVE since yesterday afternoon. I've been put in charge of patching our systems here; 54 of which are under my direct jurisdiction. Argh!

H

Currently Apple has plenty on their plate with bending not bashing.

Groan

From SANS a few hours ago. While he says LINUX, it should say any system using the bash shell.

:lol2:

Another article on the bash exploit in today's Sydney Morning Herald :-
http://www.smh.com.au/it-pro/security-it/shellshock-flaw-intertwined-with-modern-internet-may-affect-some-mac-users-20140929-10nerp.html

The link Andrew provided contains a test (see snippet below) :-
https://isc.sans.edu/forums/diary/Update+on+CVE-2014-6271+Vulnerability+in+bash+shellsho ck+/18707


The US-CERT's advisory includes a simple command line script that bash
users can run to test for the vulnerability. To check your system
from a command line, type or cut and paste this text:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

vulnerable
this is a test

An unaffected (or patched) system will output:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Thanks for that Gary. Doesn't seem to affect FreeBSD.

We had an exciting weekend testing new firmware releases. Fortunately, it's mostly automated.

Cheers,
Rick.

I've been patching today. :)

What a sneaky little bugger.

H

Could be, but does FreeBSD use bash by default, or some other shell?

Some *nixes provide bash but it is not the default shell. That includes a couple of Linux versions. What is the shell field in:

grep $USER /etc/passwd

I got used to typing (or putting in profile scripts):

which bash && exec bash -l



Enjoy H. You'll get to do it again in a few days, maybe weeks, when they work out the fix for CVE-2014-7169
I see that a couple more patches were released over the weekend. I've installed and these protect against the 7169 test:

env X='() { (a)=>\' bash -c "echo date";

right... csh so C shell?

Yep. csh == "C Shell". There's also tcsh - a somewhat smarter version of csh. One might be a symlink to the other.

My Linux has a choice of:

/bin/ash*
/bin/bash*
/bin/csh -> tcsh*
/bin/ksh*
/bin/rksh -> ksh*
/bin/sh -> bash*
/bin/tcsh*
/bin/zsh*

Be careful - even if your defaults aren't bash, if you've got bash installed, some other parts may use bash anyway.

Here we go again - patch, rebuild, reinstall.

More bash patches released Oct 1st. :(

I was halfway through patching our Solaris 10 fleet and Oracle released a newer patch that also resolved another half-a-dozen CVEs, including 7169. So, the last few days have been pretty much nothing but patching and testing.

I hope to finish off today and then do it again in a few weeks when more patches are released.

H

https://www.youtube.com/watch?v=ArEOVHQu9nk