Page 2 of 2
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Sep 28th, '14, 04:08by viking60
Exploit 1 (CVE-2014-6271)- Code: Select all
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you see "vulnerable" you need to update bash. Otherwise, you should be good to go.
Exploit 2 (CVE-2014-7169)- Code: Select all
env var='() {(a)=>\' bash -c "echo date"; cat echo
If the above command outputs the current date (it may also show errors), you are still vulnerable.
Exploit 3 (???)Here is another variation of the exploit.
- Code: Select all
env -i X=' () { }; echo hello' bash -c 'date'
It is bad if this produces "hello"
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Sep 28th, '14, 10:12by doktor5000
viking60 wrote:Exploit 3 (???)Here is another variation of the exploit.
- Code: Select all
env -i X=' () { }; echo hello' bash -c 'date'
It is bad if this produces "hello"
That's just a variation of 1, something in the variable definition for X is interpreted ...
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Sep 29th, '14, 16:47by pete910
Received another update to bash, as well as a couple of others, states it is now been fixed
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Oct 1st, '14, 13:14by claire
Further bash updates were pushed this morning covering other related CVE's
http://advisories.mageia.org/MGASA-2014-0394.html
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Oct 1st, '14, 13:20by pete910
Cheers for the update Claire.
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Oct 1st, '14, 18:20by doktor5000
If anybody else wants to check, here's how to do it using
https://github.com/hannob/bashcheck- Code: Select all
[doktor5000@Mageia4 ~]$ wget https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck -O bashcheck.sh && chmod +x bashcheck.sh
--2014-10-01 18:18:45-- https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.31.17.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.31.17.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1375 (1.3K) [text/plain]
Saving to: 'bashcheck.sh'
100%[==============================================================================================================================>] 1,375 --.-K/s in 0s
2014-10-01 18:18:45 (49.2 MB/s) - 'bashcheck.sh' saved [1375/1375]
[doktor5000@Mageia4 ~]$ ./bashcheck.sh
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
[doktor5000@Mageia4 ~]$
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Oct 1st, '14, 20:50by dbg
This is what I got running that test. This is after the MGASA-2014-0394 update and rebooting. Using Mageia 3:
- Code: Select all
[dennis@noob ~]$ ./bashcheck.sh
Testing /usr/bin/bash ...
GNU bash, version 4.2.50(2)-release (x86_64-mageia-linux-gnu)
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
./bashcheck.sh: line 42: 10722 Segmentation fault $bash -c "f(){ x(){ _;};x(){ _;}<<a;}"
Vulnerable to CVE-2014-6277 (lcamtuf bug #1) [no patch]
Variable function parser inactive, likely safe from unknown parser bugs
[dennis@noob ~]$
Did the last update not fix CVE-2014-6277 or is there a problem with this bashcheck.sh program?
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Oct 1st, '14, 21:10by doktor5000
The author added two more CVEs in the last few hours:
https://github.com/hannob/bashcheck/com ... /bashcheckThis is what I got just now, on Mageia 4:
[doktor5000@Mageia4 ~]$ ./bashcheck.sh
Testing /usr/bin/bash ...
GNU bash, Version 4.2.50(1)-release (x86_64-mageia-linux-gnu)
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Vulnerable to CVE-2014-6277 (lcamtuf bug #1) [no patch]
Vulnerable to CVE-2014-6278 (lcamtuf bug #2) [prefix/%%-suffix]
Variable function parser inactive, likely safe from unknown parser bugs
So seems those two issues are not fixed yet. I've reopened
https://bugs.mageia.org/show_bug.cgi?id=14193
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Oct 1st, '14, 21:56by dbg
With the new bashcheck.sh I get the same result using MGA3.
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Oct 1st, '14, 22:18by doktor5000
Read the last 3 comments on the bugreports. Yes those vulnerabilities exist (and maybe more will be found in the next days/weeks)
but due to the recently pushed security updates they're not exploitable. A final update for those will be pushed once upstream has fixed those properly ...
For more background information, you may want to check
http://seclists.org/fulldisclosure/2014/Oct/9
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Oct 7th, '14, 09:54by jiml8
I am presently on a motorcycle tour in Romania. I just became aware of this issue, and as a consequence at the present time I am upgrading my workstation, working remotely of course. Does anyone know if dd-wrt is affected by this? My router is dd-wrt and it faces the Internet.
I am working on my mobile device, and while I can search the internet and participate in message boards using it is very tedious which is why I'm asking the question here.
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Oct 7th, '14, 14:39by pete910
jiml8 wrote:I am presently on a motorcycle tour in Romania. I just became aware of this issue, and as a consequence at the present time I am upgrading my workstation, working remotely of course. Does anyone know if dd-wrt is affected by this? My router is dd-wrt and it faces the Internet.
I am working on my mobile device, and while I can search the internet and participate in message boards using it is very tedious which is why I'm asking the question here.
Not by the looks of it.
See here
http://stevejenkins.com/blog/2014/09/is-dd-wrt-vulnerable-to-the-shellshock-bash-bug/
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Oct 7th, '14, 19:20by jiml8
Thanks. Or should I say...multumesc.
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Oct 9th, '14, 18:55by crandy2
I guess I'm missing something. I have a Mageia 4, 64 bit install, and so far have gotten no updates or fixes whatsoever. The version I have is 4.2.45.6, which appears to be out of date. I'm in the US and use dacentec mirror.
Are we supposed to get the fixes for this through the normal update process?
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Oct 9th, '14, 20:25by jkerr82508
What is the result of
- Code: Select all
urpmq --sources bash
and
- Code: Select all
urpmq --list-media active
Jim
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Oct 9th, '14, 21:45by crandy2
jkerr82508 wrote:What is the result of
- Code: Select all
urpmq --sources bash
and
- Code: Select all
urpmq --list-media active
Jim
- Code: Select all
[root@localhost randy]# urpmq --sources bash
http://mirror.dacentec.com/mageia/distrib/4/x86_64/media/core/release/bash-4.2-45.6.mga4.x86_64.rpm
[root@localhost randy]# urpmq --list-media active
chrome_x86_64
Core Release
Core Updates
Core Updates Testing
Core Backports
Core Backports Testing
Nonfree Release
Nonfree Updates
Nonfree Backports
Tainted Release
Tainted Updates
Tainted Backports
Core 32bit Release
Core 32bit Updates
Core 32bit Backports
Nonfree 32bit Release
Nonfree 32bit Updates
Nonfree 32bit Backports
Tainted 32bit Release
Tainted 32bit Updates
Tainted 32bit Backports
google-chrome
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Oct 9th, '14, 22:09by pete910
Thats only showing release repo,
here's the ouput of same command on mine
- Code: Select all
urpmq --sources bash
ftp://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/4/x86_64/media/core/release/bash-4.2-45.6.mga4.x86_64.rpm
ftp://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/4/x86_64/media/core/updates/bash-4.2-48.1.mga4.x86_64.rpm
ftp://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/4/x86_64/media/core/updates/bash-4.2-49.1.mga4.x86_64.rpm
ftp://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/4/x86_64/media/core/updates/bash-4.2-50.2.mga4.x86_64.rpm
ftp://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/4/x86_64/media/core/updates/bash-4.2-53.1.mga4.x86_64.rpm
You seem to have the correct repos added. Are you using the one fixed mirror for all ?
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Oct 9th, '14, 22:49by crandy2
pete910 wrote:Thats only showing release repo,
here's the ouput of same command on mine
- Code: Select all
urpmq --sources bash
ftp://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/4/x86_64/media/core/release/bash-4.2-45.6.mga4.x86_64.rpm
ftp://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/4/x86_64/media/core/updates/bash-4.2-48.1.mga4.x86_64.rpm
ftp://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/4/x86_64/media/core/updates/bash-4.2-49.1.mga4.x86_64.rpm
ftp://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/4/x86_64/media/core/updates/bash-4.2-50.2.mga4.x86_64.rpm
ftp://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/4/x86_64/media/core/updates/bash-4.2-53.1.mga4.x86_64.rpm
You seem to have the correct repos added. Are you using the one fixed mirror for all ?
Yes. What should I be doing?
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Oct 9th, '14, 22:51by jkerr82508
The mirror that you are using, dacentec, is hopelessly out of date.
http://mirrors.mageia.org/statusDelete all your sources, except google-chrome, and add an alternative mirror.
(kernel.org is often recommended for North American users)
http://doc.mageia.org/mcc/4/en/content/ ... tml#d4e265Jim
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Oct 10th, '14, 17:31by crandy2
Thank you, that did it.
I had 107 packages to update after switching to kernel.org. That dacentec mirror should be pulled or something.
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Oct 21st, '14, 14:32by n00biest
So now that it's over, that we get rid of it, definetely, what should we do first : reset all psswords in a hurry, or reinstall mageia once for all ?
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Oct 21st, '14, 21:53by doktor5000
You should at least reinstall 5 times and wipe the harddisk with alternating patterns at least 7 times between each installation.
Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7
Posted:
Oct 22nd, '14, 02:28by pete910
doktor5000 wrote:You should at least reinstall 5 times and wipe the harddisk with alternating patterns at least 7 times between each installation.
That made me giggle
