Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
CodingJungle Posted September 25, 2014 Posted September 25, 2014 http://www.theverge.com/2014/9/24/6840697/worse-than-heartbleed-todays-bash-bug-could-be-breaking-security-for http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271/146851#146851 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 a recently uncovered bug found in the bash shell (Command line/terminal), affects any of the unix like os's that run the bash shell, this includes most linux distro's, mac os x, *bsd, possible others like solaris, if it uses bash shell, execute the following command in ssh/terminal/cli: env x='() { :;}; echo vulnerable' bash -c 'echo hello' if the output is like this: echo vulnerable' bash -c 'echo hello' vulnerable hello your bash shell has this "bug". if the output however looks like this: bash: warning: x: ignoring function definition attempt bash: error importing function definition for`x' hello you do not have it. I can personally verify that Ubuntu 14.04 LTS has a bash update, if you have root privileges you can execute the following command to install it: sudo apt-get update sudo apt-get install bash or sudo apt-get upgrade ^this command will upgrade all the available software, only do this if you are certain it will not break anything for you. if you run any other *nix variant, you will need to consult your distro's community to find out if their is a fix for it already and/or how to update it. there is a fix listed in the second link for mac users. this affects all unix-like OS's that run bash shell, including desktop and server OS's. if you are on a shared/managed vps/dedicated they should be rolling out a bash update, i would still considering contacting them about this, as they might not be aware of it.
InvisionHQ Posted September 25, 2014 Posted September 25, 2014 Thank you, this is a critical security issue... of my 3 servers 2 are affected by this vulnerability. For redhat users (/Centos) this is the command to update the bash: yum update bash
Aussie Cable Posted September 25, 2014 Posted September 25, 2014 Nasty! Now weaponized. Take a look at this: http://eepurl.com/4aJMH Thanks CodingJungle for the heads up, appreciate it
RevengeFNF Posted September 25, 2014 Posted September 25, 2014 env x='() { :;}; echo vulnerable' bash -c 'echo hello' bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' hello
CodingJungle Posted September 25, 2014 Author Posted September 25, 2014 your safe, you don't have the exploit :)
RevengeFNF Posted September 26, 2014 Posted September 26, 2014 your safe, you don't have the exploit I received another Bash Update today.
Dmacleo Posted September 26, 2014 Posted September 26, 2014 centos (so redhat) released a patch they knew wasn't fully correct yesterday but was useful to help mitigate issues and this morning I got another bash update that I believe is the final one needed. I don't see this as being as bad (potentially) as heartbleed was just due to the needs before it could be misused. while many distros use bash there would have to be a cgi component in use for the problem to be taken advantage of remotely. of course if someone had access already then its real bad, but if not using apache/nginx/whatever to call a cgi then remote wgets are not as disastrous as if you were calling a cgi component. so its a potentially bad issue that affects a lot more systems than heartbleed I don't think it has the overall risk as heartbleed had. but I could be wrong. seems there are a lot of people that think this too and there are many others that disagree. still, its good to update as fast as possible to prevent any potential issues. and the maintainer did decent job backporting for really old versions also. so...problem seen, tests run for a day or so then notifications sent out. within hours patches flowing. I call that a pretty good response.
RevengeFNF Posted September 26, 2014 Posted September 26, 2014 centos (so redhat) released a patch they knew wasn't fully correct yesterday but was useful to help mitigate issues and this morning I got another bash update that I believe is the final one needed. I don't see this as being as bad (potentially) as heartbleed was just due to the needs before it could be misused. while many distros use bash there would have to be a cgi component in use for the problem to be taken advantage of remotely. of course if someone had access already then its real bad, but if not using apache/nginx/whatever to call a cgi then remote wgets are not as disastrous as if you were calling a cgi component. so its a potentially bad issue that affects a lot more systems than heartbleed I don't think it has the overall risk as heartbleed had. but I could be wrong. seems there are a lot of people that think this too and there are many others that disagree. still, its good to update as fast as possible to prevent any potential issues. and the maintainer did decent job backporting for really old versions also. so...problem seen, tests run for a day or so then notifications sent out. within hours patches flowing. I call that a pretty good response. It was possible for you to take a site down just by using a browser with a modified user agent So its a pretty damn dangerous security issue. removed Me and you for example, have updated the bash. But believe me, many people did not...
Rhett Posted September 26, 2014 Posted September 26, 2014 Let's not post exploit "how to" information on this site please, if needed, you are free to discuss this, however providing a method is not something we want here. Discussions like this are best left to security sites with server administrators that can provide you cold hard facts and not simple relating hearsay though. When it comes to security, if you have any questions, please consult with your hosting provider to be safe, they are your best resource of valid information.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.