critical Bash security issues CVE-2014-6271 / CVE-2014-7169

This forum is dedicated to testing early releases and cauldron : Howtos, tips, tricks and user global feedback and thoughts...

Helpful tip :
For bugs tracking we use : https://bugs.mageia.org = The Mageia Bug Tracker
In this bug tracker you'll find already reported bugs and you'll be able to report those you have found....

critical Bash security issues CVE-2014-6271 / CVE-2014-7169

Postby pete910 » Sep 25th, '14, 01:41

That was quick guys, was just reading about the Bash exploit that was found yesterday, whilst reading it got an update for bash! :shock:

Truly are wizards. (See what I did there :roll: )

"tips hat" 8-)
Last edited by doktor5000 on Sep 26th, '14, 10:35, edited 2 times in total.
Reason: adjusted thread title
User avatar
pete910
 
Posts: 357
Joined: Jan 8th, '12, 18:53

The bash software bug

Postby nigelc » Sep 25th, '14, 08:13

Hello,
This came from the guardian paper.

Code: Select all
env x='() { :;}; echo vulnerable' bash -c 'echo hello'


So it would appear that this system has the bug.
Code: Select all
if you are vulnerable, you get back:
vulnerable
hello
nigelc
 
Posts: 203
Joined: Aug 28th, '11, 09:35

Re: The bash software bug

Postby doktor5000 » Sep 25th, '14, 08:19

Seems you haven't done your updates or you're using a mirror that syncs slowly: viewtopic.php?f=5&t=8487

Code: Select all
[doktor5000@Mageia4 ~]$ LC_ALL=C env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16072
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: The bash software bug

Postby nigelc » Sep 25th, '14, 08:27

Doktor5000,
Shall I wait until tomorrow and see if the mirror syncs.
Cheers
nigelc
 
Posts: 203
Joined: Aug 28th, '11, 09:35

Re: The bash software bug

Postby nigelc » Sep 25th, '14, 08:35

Well, it's just arrived.
The data has to come half way around the world.

Code: Select all
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello


cheers.
Last edited by doktor5000 on Sep 25th, '14, 12:20, edited 1 time in total.
Reason: fixed code tags
nigelc
 
Posts: 203
Joined: Aug 28th, '11, 09:35

Re: The bash software bug

Postby viking60 » Sep 25th, '14, 11:10

Yup Mageia is patched together with other reliable server distros like Centos and Debian.
Arch and Manjaro or OpenMandriva are not patched yet.
(It really makes good sense to update as fast as possible now)

Good show!
Image Flexibility is good and inxi is good... install both!
User avatar
viking60
 
Posts: 255
Joined: Mar 19th, '11, 22:26

Re: WOW, Bash update!

Postby doktor5000 » Sep 25th, '14, 12:22

For the sake of clarity, I've merged the two threads together, and made it an announcement as that bash vulnerability affects quite a lot of stuff.

This was our bug report: https://bugs.mageia.org/show_bug.cgi?id=14167
This is our advisory: http://advisories.mageia.org/MGASA-2014-0388.html (this holds some more links)
This is a good explanation of the vulnerability and affected areas: https://securityblog.redhat.com/2014/09 ... on-attack/
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16072
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: WOW, Bash update for critical security issue CVE-2014-62

Postby wintpe » Sep 25th, '14, 12:39

the bash vulnerability does not just affect mageia: redhat, centos, Solaris, HP-UX, AIX and cygwin just to name a few.

Im not sure it effects any mini-unix's, like android, or mimeburg or WRT as they run busybox.

but many other blackbox appliances that run on intel like HW, may well also be effected, for example firewalls
corperate virus scanners, spam filters, etc.

regards peter
Redhat 6 Certified Engineer (RHCE)
Sometimes my posts will sound short, or snappy, however its realy not my intention to offend, so accept my apologies in advance.
wintpe
 
Posts: 1203
Joined: May 22nd, '11, 17:08
Location: Rayleigh,, Essex , UK

Re: WOW, Bash update for critical security issue CVE-2014-62

Postby doktor5000 » Sep 25th, '14, 12:56

wintpe wrote:the bash vulnerability does not just affect mageia: redhat, centos, Solaris, HP-UX, AIX and cygwin just to name a few.


doktor5000 wrote:This is a good explanation of the vulnerability and affected areas: https://securityblog.redhat.com/2014/09 ... on-attack/

It's quite an interesting read, what stuff is affected subsequently ;)
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16072
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: WOW, Bash update for critical security issue CVE-2014-62

Postby doktor5000 » Sep 25th, '14, 13:29

FWIW, the upstream patch is not complete, see https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c27 and https://access.redhat.com/security/cve/CVE-2014-7169

For interim mitigation, see https://access.redhat.com/articles/1200223 (scroll down to the section "I heard that the patch for CVE-2014-6271 is incomplete. How can I mitigate this issue?")
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16072
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: WOW, Bash update for critical security issue CVE-2014-62

Postby viking60 » Sep 25th, '14, 13:35

Everything that uses bash (including zsh) is affected; that includes Mac OSX and potentially your refrigerator, router and surveillance camera and..so on.
Tesla has smartphone Apps to unlock the car or sound the alarm and has open ports for SSH and X11 ... that could be a lot of fun there...
http://beta.slashdot.org/story/200333

The "Internet of things" is mostly Linux driven and therefore bash driven.
Last edited by viking60 on Sep 25th, '14, 13:46, edited 1 time in total.
Image Flexibility is good and inxi is good... install both!
User avatar
viking60
 
Posts: 255
Joined: Mar 19th, '11, 22:26

Re: WOW, Bash update for critical security issue CVE-2014-62

Postby doktor5000 » Sep 25th, '14, 13:44

viking60 wrote:The "Internet of things" is mostly Linux driven and therefore bash driven.

Well, the IOT is probably more busybox-driven then anything else, so not directly bash, but ash ...
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16072
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: WOW, Bash update for critical security issue CVE-2014-62

Postby viking60 » Sep 25th, '14, 14:02

doktor5000 wrote:Well, the IOT is probably more busybox-driven then anything else, so not directly bash, but ash ...


Yes True - but I assume that Ashe will handle variables in the same way?
Image Flexibility is good and inxi is good... install both!
User avatar
viking60
 
Posts: 255
Joined: Mar 19th, '11, 22:26

Re: WOW, Bash update for critical security issue CVE-2014-62

Postby doktor5000 » Sep 25th, '14, 14:34

wintpe wrote:OK duplicate, i just cant delete it, sorry

No problem, I can 8-)
See viewtopic.php?p=51660#p51660 for that information
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16072
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: WOW, Bash update for critical security issue CVE-2014-62

Postby doktor5000 » Sep 25th, '14, 21:29

Interesting proof of concept for this bash bug resulting in DoS: http://www.troyhunt.com/2014/09/everyth ... about.html
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16072
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: WOW, Bash update for critical security issue CVE-2014-62

Postby pete910 » Sep 26th, '14, 01:40

doktor5000 wrote:Interesting proof of concept for this bash bug resulting in DoS: http://www.troyhunt.com/2014/09/everyth ... about.html

Good read Dok! cheers for link.

Checked my server running ClearOs(cent os) and that's been patched too.
User avatar
pete910
 
Posts: 357
Joined: Jan 8th, '12, 18:53

Re: WOW, Bash update for critical security issue CVE-2014-62

Postby doktor5000 » Sep 26th, '14, 08:49

doktor5000 wrote:FWIW, the upstream patch is not complete, see https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c27 and https://access.redhat.com/security/cve/CVE-2014-7169

For interim mitigation, see https://access.redhat.com/articles/1200223 (scroll down to the section "I heard that the patch for CVE-2014-6271 is incomplete. How can I mitigate this issue?")
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16072
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: WOW, Bash update for critical security issue CVE-2014-62

Postby doktor5000 » Sep 26th, '14, 10:32

bugreport for CVE-2014-7169: https://bugs.mageia.org/show_bug.cgi?id=14169
Although it seems that bash upstream says the issue is still not completely fixed ...
From irc://irc.freenode.net/#bash
The backslash bug <https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23> is NOT officially patched yet. No, we don't have a timeline.
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16072
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby doktor5000 » Sep 26th, '14, 13:49

Some quite good links on the shellshock / backslash bugs: http://mywiki.wooledge.org/BashFAQ/111
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16072
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby n00biest » Sep 27th, '14, 16:02

this is a hokuspocus that shows the vulnerability is always there

env var='() {(a)=>\' bash -c "echo date"; cat echo

if the date is shown (and it is) then it's still vulnerable.

what will we have to do when it's over ?
Change psswrd ? reinstall Mageia ?
User avatar
n00biest
 
Posts: 100
Joined: May 2nd, '12, 19:16
Location: PARIS !

Re: WOW, Bash update for critical security issue CVE-2014-62

Postby doktor5000 » Sep 27th, '14, 16:33

Please next time first read, and try to understand what's written. This is no hocuspocus, it just shows that you don't have a fix for the so-called backslash bug CVE-2014-7169

Just a few posts up:
doktor5000 wrote:bugreport for CVE-2014-7169: https://bugs.mageia.org/show_bug.cgi?id=14169
Although it seems that bash upstream says the issue is still not completely fixed ...
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16072
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby n00biest » Sep 27th, '14, 18:57

yeah : that's what i was saying.
User avatar
n00biest
 
Posts: 100
Joined: May 2nd, '12, 19:16
Location: PARIS !

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby doktor5000 » Sep 27th, '14, 19:24

Nope, at least your post and mine say totally different things. So what you want to say and what you post may be totally different ...
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16072
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby viking60 » Sep 28th, '14, 00:21

Without going into semantics :mrgreen:
Both of you are making the point that the patch did leave a vulnerability.

The disagrement seems to be about the hocus pocus. That code seems to show that the vulnerability still exists so that is no hocus pocus according to the Doctor, If I understand him correctly (I rarly do, and when it happens I mostly disagree :D ).

I must have misunderstood him here, because I agree :shock:
Shellshocker.net uses pretty much the same test.
Image Flexibility is good and inxi is good... install both!
User avatar
viking60
 
Posts: 255
Joined: Mar 19th, '11, 22:26

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby doktor5000 » Sep 28th, '14, 01:36

Seems nobody reads all the information, everybody just jumps on the next hype train. OMG everybody is after shellshock, that must be the next best thing ...

All of you should be aware that there are 2 vulnerabilities.
* CVE-2014-6271, now known as "shellshock" which should already be fixed for most major distros, including Mageia ( https://bugs.mageia.org/show_bug.cgi?id=14167 )

* CVE-2014-7169, now known as "backslash bug", which is not yet fixed completely and still under discussion, see e.g. http://www.openwall.com/lists/oss-security/2014/09/26/8
( and the Mageia bugreport: https://bugs.mageia.org/show_bug.cgi?id=14169 ) It is not that critical, and it was decided to better not rush for an incomplete fix.

If you test for backslash, and expect the result for shellshock, you're doing something wrong. If you just take some random test from some random website, and don't even ask or try to see what it does, and blindly try to run it ... who can blame the authors when it's run in a totally different context with a different purpose?
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16072
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Next

Return to Testing : Alpha, Beta, RC and Cauldron

Who is online

Users browsing this forum: Bing [Bot] and 1 guest

cron