Jump to content

bash bug: new vulnerability found


Recommended Posts

Posted

http://www.theverge.com/2014/9/24/6840697/worse-than-heartbleed-todays-bash-bug-could-be-breaking-security-for

http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271/146851#146851

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

a recently uncovered bug found in the bash shell (Command line/terminal), affects any of the unix like os's that run the bash shell, this includes most linux distro's, mac os x, *bsd, possible others like solaris, if it uses bash shell, execute the following command in ssh/terminal/cli:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

if the output is like this:

echo vulnerable' bash -c 'echo hello'
vulnerable
hello

your bash shell has this "bug".

if the output however looks like this:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for`x'
hello

you do not have it. I can personally verify that Ubuntu 14.04 LTS has a bash update, if you have root privileges you can execute the following command to install it:

sudo apt-get update

sudo apt-get install bash

or 

sudo apt-get upgrade

^this command will upgrade all the available software, only do this if you are certain it will not break anything for you.

if you run any other *nix variant, you will need to consult your distro's community to find out if their is a fix for it already and/or how to update it.

there is a fix listed in the second link for mac users.

this affects all unix-like OS's that run bash shell, including desktop and server OS's.

if you are on a shared/managed vps/dedicated they should be rolling out a bash update, i would still considering contacting them about this, as they might not be aware of it.

Posted

centos (so redhat) released a patch they knew wasn't fully correct yesterday but was useful to help mitigate issues and this morning I got another bash update that I believe is the final one needed.

I don't see this as being as bad (potentially) as heartbleed was just due to the needs before it could be misused. while many distros use bash there would have to be a cgi component in use for the problem to be taken advantage of remotely. of course if someone had access already then its real bad, but if not using apache/nginx/whatever to call a cgi then remote wgets are not as disastrous as if you were calling a cgi component.

so its a potentially bad issue that affects a lot more systems than heartbleed I don't think it has the overall risk as heartbleed had.

but I could be wrong. seems there are a lot of people that think this too and there are many others that disagree.

still, its good to update as fast as possible to prevent any potential issues.

and the maintainer did decent job backporting for really old versions also.

so...problem seen, tests run for a day or so then notifications sent out. within hours patches flowing.

I call that a pretty good response.

Posted

centos (so redhat) released a patch they knew wasn't fully correct yesterday but was useful to help mitigate issues and this morning I got another bash update that I believe is the final one needed.

I don't see this as being as bad (potentially) as heartbleed was just due to the needs before it could be misused. while many distros use bash there would have to be a cgi component in use for the problem to be taken advantage of remotely. of course if someone had access already then its real bad, but if not using apache/nginx/whatever to call a cgi then remote wgets are not as disastrous as if you were calling a cgi component.

so its a potentially bad issue that affects a lot more systems than heartbleed I don't think it has the overall risk as heartbleed had.

but I could be wrong. seems there are a lot of people that think this too and there are many others that disagree.

still, its good to update as fast as possible to prevent any potential issues.

and the maintainer did decent job backporting for really old versions also.

so...problem seen, tests run for a day or so then notifications sent out. within hours patches flowing.

I call that a pretty good response.

It was possible for you to take a site down just by using a browser with a modified user agent wink.png

So its a pretty damn dangerous security issue.

removed

Me and you for example, have updated the bash. But believe me, many people did not...

Posted

Let's not post exploit "how to" information on this site please, if needed, you are free to discuss this, however providing a method is not something we want here. Discussions like this are best left to security sites with server administrators that can provide you cold hard facts and not simple relating hearsay though.

When it comes to security, if you have any questions, please consult with your hosting provider to be safe, they are your best resource of valid information.

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...