Mageia forum

share the magic
http://forums.mageia.org/en/

critical Bash security issues CVE-2014-6271 / CVE-2014-7169

http://forums.mageia.org/en/viewtopic.php?f=15&t=8487

Page 1 of 2

critical Bash security issues CVE-2014-6271 / CVE-2014-7169

PostPosted: Sep 25th, '14, 01:41
by pete910
That was quick guys, was just reading about the Bash exploit that was found yesterday, whilst reading it got an update for bash! :shock:

Truly are wizards. (See what I did there :roll: )

"tips hat" 8-)

The bash software bug

PostPosted: Sep 25th, '14, 08:13
by nigelc
Hello,
This came from the guardian paper.

Code: Select all
env x='() { :;}; echo vulnerable' bash -c 'echo hello'


So it would appear that this system has the bug.
Code: Select all
if you are vulnerable, you get back:
vulnerable
hello

Re: The bash software bug

PostPosted: Sep 25th, '14, 08:19
by doktor5000
Seems you haven't done your updates or you're using a mirror that syncs slowly: viewtopic.php?f=5&t=8487

Code: Select all
[doktor5000@Mageia4 ~]$ LC_ALL=C env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello

Re: The bash software bug

PostPosted: Sep 25th, '14, 08:27
by nigelc
Doktor5000,
Shall I wait until tomorrow and see if the mirror syncs.
Cheers

Re: The bash software bug

PostPosted: Sep 25th, '14, 08:35
by nigelc
Well, it's just arrived.
The data has to come half way around the world.

Code: Select all
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello


cheers.

Re: The bash software bug

PostPosted: Sep 25th, '14, 11:10
by viking60
Yup Mageia is patched together with other reliable server distros like Centos and Debian.
Arch and Manjaro or OpenMandriva are not patched yet.
(It really makes good sense to update as fast as possible now)

Good show!

Re: WOW, Bash update!

PostPosted: Sep 25th, '14, 12:22
by doktor5000
For the sake of clarity, I've merged the two threads together, and made it an announcement as that bash vulnerability affects quite a lot of stuff.

This was our bug report: https://bugs.mageia.org/show_bug.cgi?id=14167
This is our advisory: http://advisories.mageia.org/MGASA-2014-0388.html (this holds some more links)
This is a good explanation of the vulnerability and affected areas: https://securityblog.redhat.com/2014/09 ... on-attack/

Re: WOW, Bash update for critical security issue CVE-2014-62

PostPosted: Sep 25th, '14, 12:39
by wintpe
the bash vulnerability does not just affect mageia: redhat, centos, Solaris, HP-UX, AIX and cygwin just to name a few.

Im not sure it effects any mini-unix's, like android, or mimeburg or WRT as they run busybox.

but many other blackbox appliances that run on intel like HW, may well also be effected, for example firewalls
corperate virus scanners, spam filters, etc.

regards peter

Re: WOW, Bash update for critical security issue CVE-2014-62

PostPosted: Sep 25th, '14, 12:56
by doktor5000
wintpe wrote:the bash vulnerability does not just affect mageia: redhat, centos, Solaris, HP-UX, AIX and cygwin just to name a few.


doktor5000 wrote:This is a good explanation of the vulnerability and affected areas: https://securityblog.redhat.com/2014/09 ... on-attack/

It's quite an interesting read, what stuff is affected subsequently ;)

Re: WOW, Bash update for critical security issue CVE-2014-62

PostPosted: Sep 25th, '14, 13:29
by doktor5000
FWIW, the upstream patch is not complete, see https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c27 and https://access.redhat.com/security/cve/CVE-2014-7169

For interim mitigation, see https://access.redhat.com/articles/1200223 (scroll down to the section "I heard that the patch for CVE-2014-6271 is incomplete. How can I mitigate this issue?")

Re: WOW, Bash update for critical security issue CVE-2014-62

PostPosted: Sep 25th, '14, 13:35
by viking60
Everything that uses bash (including zsh) is affected; that includes Mac OSX and potentially your refrigerator, router and surveillance camera and..so on.
Tesla has smartphone Apps to unlock the car or sound the alarm and has open ports for SSH and X11 ... that could be a lot of fun there...
http://beta.slashdot.org/story/200333

The "Internet of things" is mostly Linux driven and therefore bash driven.

Re: WOW, Bash update for critical security issue CVE-2014-62

PostPosted: Sep 25th, '14, 13:44
by doktor5000
viking60 wrote:The "Internet of things" is mostly Linux driven and therefore bash driven.

Well, the IOT is probably more busybox-driven then anything else, so not directly bash, but ash ...

Re: WOW, Bash update for critical security issue CVE-2014-62

PostPosted: Sep 25th, '14, 14:02
by viking60
doktor5000 wrote:Well, the IOT is probably more busybox-driven then anything else, so not directly bash, but ash ...


Yes True - but I assume that Ashe will handle variables in the same way?

Re: WOW, Bash update for critical security issue CVE-2014-62

PostPosted: Sep 25th, '14, 14:34
by doktor5000
wintpe wrote:OK duplicate, i just cant delete it, sorry

No problem, I can 8-)
See viewtopic.php?p=51660#p51660 for that information

Re: WOW, Bash update for critical security issue CVE-2014-62

PostPosted: Sep 25th, '14, 21:29
by doktor5000
Interesting proof of concept for this bash bug resulting in DoS: http://www.troyhunt.com/2014/09/everyth ... about.html

Re: WOW, Bash update for critical security issue CVE-2014-62

PostPosted: Sep 26th, '14, 01:40
by pete910
doktor5000 wrote:Interesting proof of concept for this bash bug resulting in DoS: http://www.troyhunt.com/2014/09/everyth ... about.html

Good read Dok! cheers for link.

Checked my server running ClearOs(cent os) and that's been patched too.

Re: WOW, Bash update for critical security issue CVE-2014-62

PostPosted: Sep 26th, '14, 08:49
by doktor5000
doktor5000 wrote:FWIW, the upstream patch is not complete, see https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c27 and https://access.redhat.com/security/cve/CVE-2014-7169

For interim mitigation, see https://access.redhat.com/articles/1200223 (scroll down to the section "I heard that the patch for CVE-2014-6271 is incomplete. How can I mitigate this issue?")

Re: WOW, Bash update for critical security issue CVE-2014-62

PostPosted: Sep 26th, '14, 10:32
by doktor5000
bugreport for CVE-2014-7169: https://bugs.mageia.org/show_bug.cgi?id=14169
Although it seems that bash upstream says the issue is still not completely fixed ...
From irc://irc.freenode.net/#bash
The backslash bug <https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23> is NOT officially patched yet. No, we don't have a timeline.

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

PostPosted: Sep 26th, '14, 13:49
by doktor5000
Some quite good links on the shellshock / backslash bugs: http://mywiki.wooledge.org/BashFAQ/111

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

PostPosted: Sep 27th, '14, 16:02
by n00biest
this is a hokuspocus that shows the vulnerability is always there

env var='() {(a)=>\' bash -c "echo date"; cat echo

if the date is shown (and it is) then it's still vulnerable.

what will we have to do when it's over ?
Change psswrd ? reinstall Mageia ?

Re: WOW, Bash update for critical security issue CVE-2014-62

PostPosted: Sep 27th, '14, 16:33
by doktor5000
Please next time first read, and try to understand what's written. This is no hocuspocus, it just shows that you don't have a fix for the so-called backslash bug CVE-2014-7169

Just a few posts up:
doktor5000 wrote:bugreport for CVE-2014-7169: https://bugs.mageia.org/show_bug.cgi?id=14169
Although it seems that bash upstream says the issue is still not completely fixed ...

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

PostPosted: Sep 27th, '14, 18:57
by n00biest
yeah : that's what i was saying.

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

PostPosted: Sep 27th, '14, 19:24
by doktor5000
Nope, at least your post and mine say totally different things. So what you want to say and what you post may be totally different ...

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

PostPosted: Sep 28th, '14, 00:21
by viking60
Without going into semantics :mrgreen:
Both of you are making the point that the patch did leave a vulnerability.

The disagrement seems to be about the hocus pocus. That code seems to show that the vulnerability still exists so that is no hocus pocus according to the Doctor, If I understand him correctly (I rarly do, and when it happens I mostly disagree :D ).

I must have misunderstood him here, because I agree :shock:
Shellshocker.net uses pretty much the same test.

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

PostPosted: Sep 28th, '14, 01:36
by doktor5000
Seems nobody reads all the information, everybody just jumps on the next hype train. OMG everybody is after shellshock, that must be the next best thing ...

All of you should be aware that there are 2 vulnerabilities.
* CVE-2014-6271, now known as "shellshock" which should already be fixed for most major distros, including Mageia ( https://bugs.mageia.org/show_bug.cgi?id=14167 )

* CVE-2014-7169, now known as "backslash bug", which is not yet fixed completely and still under discussion, see e.g. http://www.openwall.com/lists/oss-security/2014/09/26/8
( and the Mageia bugreport: https://bugs.mageia.org/show_bug.cgi?id=14169 ) It is not that critical, and it was decided to better not rush for an incomplete fix.

If you test for backslash, and expect the result for shellshock, you're doing something wrong. If you just take some random test from some random website, and don't even ask or try to see what it does, and blindly try to run it ... who can blame the authors when it's run in a totally different context with a different purpose?
All times are UTC + 1 hour [ DST ]
Page 1 of 2
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/