US-CERT - Bourne Again Shell (Bash) Remote Code Execution Vulnerability

gary · #1 25-09-2014, 04:26 PM

US-CERT has posted a warning of an exploit affecting the use of the Bash shell.

See https://www.us-cert.gov/ncas/current...-Vulnerability

See http://www.smh.com.au/it-pro/securit...25-10ltx1.html

Linux, UNIX and Mac OS X users should upload fixes for their respective
operating systems.

At the time of posting, Apple have yet to make an announcement nor provide a fix.

Fixes are now available for all major Linux distributions.

RickS (Rick) · #2 25-09-2014, 04:40 PM

Thanks for the heads up, Gary!

lazjen (Chris) · #3 25-09-2014, 04:49 PM

Note that the first round of patches may not fully solve the problem -allegedly. There's probably going to be another round to come sometime.

mithrandir (Andrew) · #4 26-09-2014, 09:28 AM

Interesting. I only got my US-CERT notification this morning.

Picked up the bash-018 patch (the relevant one for me) last night and recompiled.

Cygwin doesn't seem to have released an updated bash yet.

Octane (Humayun) · #5 26-09-2014, 11:40 AM

Oracle's had a placeholder for the CVE since yesterday afternoon. I've been put in charge of patching our systems here; 54 of which are under my direct jurisdiction. Argh!

H

multiweb (Marc) · #6 26-09-2014, 01:25 PM

Currently Apple has plenty on their plate with bending not bashing.

mithrandir (Andrew) · #7 26-09-2014, 04:02 PM

Quote:

Originally Posted by multiweb

Currently Apple has plenty on their plate with bending not bashing.

Groan

mithrandir (Andrew) · #8 26-09-2014, 04:13 PM

From SANS a few hours ago. While he says LINUX, it should say any system using the bash shell.

Quote:

SANS FLASH REPORT: The Shellshock vulnerability: What you should do now.

September 25, 2014

Shellshock merits this FLASH report because it is so widespread and so easy to exploit on systems like your firewalls and web servers and other similarly important servers running LINUX.

Johannes Ullrich, Director of SANS Internet Storm Center just updated a brief webcast to provide authoritative answers to the five questions we are being asked:
1. How important is Shellshock (which specific types of systems can actually be exploited now)?
2. What is the primary way that this vulnerability is being exploited?
3. What went wrong? Where did the vulnerability come from?
4. How can you find out which of your systems are vulnerable? and How easy it is for attackers to find the vulnerable systems on your network?
5. How can you protect yourself?

You can see the slides and listen to his briefing at: https://isc.sans.edu/forums/diary/We...rability/18709

Storm Center has also posted a FAQ which is being updated as new data is found: https://isc.sans.edu/forums/diary/Up...llshock+/18707

Alan Paller, Director of Research, SANS institute apaller at sans.org

GeoffW1 (Geoff) · #9 27-09-2014, 06:10 PM

Quote:

Originally Posted by multiweb

Currently Apple has plenty on their plate with bending not bashing.

gary · #10 29-09-2014, 02:23 PM

Another article on the bash exploit in today's Sydney Morning Herald :-
http://www.smh.com.au/it-pro/securit...29-10nerp.html

The link Andrew provided contains a test (see snippet below) :-
https://isc.sans.edu/forums/diary/Up...llshock+/18707

Code:

The US-CERT's advisory includes a simple command line script that bash
users can run to test for the vulnerability. To check your system
from a command line, type or cut and paste this text:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

vulnerable 
 this is a test

An unaffected (or patched) system will output:

bash: warning: x: ignoring function definition attempt 
 bash: error importing function definition for `x' 
 this is a test

multiweb (Marc) · #11 29-09-2014, 02:27 PM

Quote:

Originally Posted by gary

Another article on the bash exploit in today's Sydney Morning Herald :-
http://www.smh.com.au/it-pro/securit...29-10nerp.html

The link Andrew provided contains a test :-
https://isc.sans.edu/forums/diary/Up...llshock+/18707

Code:

The US-CERT's advisory includes a simple command line script that bash
users can run to test for the vulnerability. To check your system
from a command line, type or cut and paste this text:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

vulnerable 
 this is a test

An unaffected (or patched) system will output:

bash: warning: x: ignoring function definition attempt 
 bash: error importing function definition for `x' 
 this is a test

Thanks for that Gary. Doesn't seem to affect FreeBSD.

RickS (Rick) · #12 29-09-2014, 02:38 PM

We had an exciting weekend testing new firmware releases. Fortunately, it's mostly automated.

Cheers,
Rick.

Octane (Humayun) · #13 29-09-2014, 03:01 PM

I've been patching today.

What a sneaky little bugger.

H

mithrandir (Andrew) · #14 29-09-2014, 03:04 PM

Quote:

Originally Posted by multiweb

Thanks for that Gary. Doesn't seem to affect FreeBSD.

Could be, but does FreeBSD use bash by default, or some other shell?

Some *nixes provide bash but it is not the default shell. That includes a couple of Linux versions. What is the shell field in:

grep $USER /etc/passwd

I got used to typing (or putting in profile scripts):

which bash && exec bash -l

Quote:

Originally Posted by Octane

I've been patching today.

What a sneaky little bugger.

Enjoy H. You'll get to do it again in a few days, maybe weeks, when they work out the fix for CVE-2014-7169
I see that a couple more patches were released over the weekend. I've installed and these protect against the 7169 test:

env X='() { (a)=>\' bash -c "echo date";

multiweb (Marc) · #15 29-09-2014, 03:53 PM

Quote:

Originally Posted by mithrandir

Could be, but does FreeBSD use bash by default, or some other shell?

right... csh so C shell?

mithrandir (Andrew) · #16 29-09-2014, 04:10 PM

Quote:

Originally Posted by multiweb

right... csh so C shell?

Yep. csh == "C Shell". There's also tcsh - a somewhat smarter version of csh. One might be a symlink to the other.

My Linux has a choice of:

/bin/ash*
/bin/bash*
/bin/csh -> tcsh*
/bin/ksh*
/bin/rksh -> ksh*
/bin/sh -> bash*
/bin/tcsh*
/bin/zsh*

lazjen (Chris) · #17 29-09-2014, 05:04 PM

Be careful - even if your defaults aren't bash, if you've got bash installed, some other parts may use bash anyway.

mithrandir (Andrew) · #18 02-10-2014, 11:16 PM

Here we go again - patch, rebuild, reinstall.

More bash patches released Oct 1st.

Octane (Humayun) · #19 03-10-2014, 10:57 AM

I was halfway through patching our Solaris 10 fleet and Oracle released a newer patch that also resolved another half-a-dozen CVEs, including 7169. So, the last few days have been pretty much nothing but patching and testing.

I hope to finish off today and then do it again in a few weeks when more patches are released.

H

multiweb (Marc) · #20 07-10-2014, 12:14 PM

Click here to load the video