ICS/Lotus (mostly), Linux, Travel, Skiing, Mixology, and Random Musing of Interest

Shellshock - Final Fix Released: Time to Re-Patch

Bill Malchisky  September 29 2014 12:17:00 AM
Author's Note: Thank you to the ICS community for their tremendous support of my first Shellshock post. For those that read it early, you received critical information 14-72 hours before many sites released their stories. Several readers were fully patched before big names tweeted the issue. You were well ahead of the curve. Shellshock stories released over the weekend proved outdated and incomplete. This post provides better information faster. I am grateful for your support.


As I mentioned last week, the Shellshock bug is real, but the then available fix handled all exploits but one. Very early on Saturday, 27 September 2014, a patch became available after two days of community scrutiny. Getting patched for this exploit is important to ensure a full complete production-grade solution for the Shellshock bug. Fortunately, the fix for this and two the two additional Bash exploits identified is trivial to apply.


New Exploits Identified

"The original flaw in Bash was assigned CVE-2014-6271. Shortly after that issue went public a researcher found a similar flaw that wasn’t blocked by the first fix and this was assigned CVE-2014-7169. Later, Red Hat Product Security researcher Florian Weimer found additional problems and they were assigned CVE-2014-7186 and CVE-2014-7187. It’s possible that other issues will be found in the future and assigned a CVE designator even if they are blocked by the existing patches." --Via Red Hat's Shellshock FAQ

The excellent work of Florian Weimer at Red Hat in identifying two additional moderate exploits. Because of this, you should see reference to the later exploits if you are using a GUI update tool like Ubuntu's Update Manager (image below). Regardless, follow the respective distro update step provided below to ensure you are protected. Then, test for success.

Red Hat updated their Shellshock Impact Statement for this issue.

Image:Shellshock - Final Fix Released: Time to Re-Patch


Testing for the Initial Remaining Exploit
-- CVE-2014-7169
The fix for CVE-2014-7169 ensures that the system is protected from the file creation issue. To test if your version of Bash is vulnerable to CVE-2014-7169, run the following command:

[malchw@localhost Desktop]$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo


Positive Result

bash: x: line 1: syntax error near unexpected token `='

bash: x: line 1: `'

bash: error importing function definition for `x'

Sun Sep 28 00:03:50 PDT 2014


Negative Result

date

cat: /tmp/echo: No such file or directory


Notations

1. If you are running any Linux appliance, security server, or server application on Linux such as IBM Protector, ensure you test for this exploit
2. Apple Macintosh computers running OS X are in-scope, albeit casual users are a lower risk, power users should take this exploit seriously
3. No reboot is required when updating Bash
4. The fix for CVE-2014-7169 includes fixes for CVE-2014-7186 and CVE-2014-7187 if you updated Bash on or after Saturday, 27 September: indicated with RHSA-2014:1306-1, RHSA-2014:1311-1, and RHSA-2014:1312-1
(Japanese coding fix)
-- RHSA = Red Hat Security Advisory
5. Red Hat just released a Shellshock Vulnerability Detector shell script which you can run instead -- available here
6. The fix for CVE-2014-7169 is Important and should be patched; the two new moderate exploits being addressed is not justification for this type of blog post, just a bonus


Applying the Fix

Some distros released a Bash update early Sunday morning, 28 September. Ubuntu's fix hit my machines at 2:15 am EDT.
Red Hat made the fix available via RHN and all registered systems can download it easily, else you download the file from RHN for manual installation.
The confirmation section below shows you how to ensure you have the correct patch installed, as the fix version management can get confusing.
RHEL: # yum update bash
On my older RHEL 5 box: # rpm -Uvh bash-3.2-33.el5_11.4.i386.rpm
Centos: # yum update bash
Ubuntu: $update-manager -or- $sudo apt-get update

Notations

1. If you receive the message, "No Packages marked for Update", then run # yum clean all && yum bash install
2. If you are still seeing this message and you have not updated bash, pull the latest file from your distro's support site
3. Apple was notified privately by the Bash maintainer several times along with a patch to use: Apple still has not released a fix (as of this post's time-stamp)
4. Hat tip Frank for providing a Mac solution for power users, located here

UPDATES
5. Apple finally released a Bash update for Mavericks, Lion, and Mountain Lion via App Store, as of dinner time, EDT
Hat tip Theo for the patch link
6. IBM released an updated Bash patch for Protector over the weekend, replacing Friday's Bash patch
Hat tip Mathieu for the patch update


Example Output - RHEL 6.5 Client

[root@localhost ~]# yum update bash

Loaded plugins: product-id, refresh-packagekit, rhnplugin, security,

 : subscription-manager

This system is receiving updates from Red Hat Subscription Management.

This system is receiving updates from RHN Classic or RHN Satellite.

rhel-6-desktop-rpms                                      | 3.7 kB     00:00    
rhel-6-desktop-rpms/primary_db                           |  27 MB     01:10    
rhel-x86_64-client-6                                     | 1.8 kB     00:00    
rhel-x86_64-client-6/primary                             |  18 MB     00:19    
rhel-x86_64-client-6                                                10417/10417

Setting up Update Process

Resolving Dependencies

--> Running transaction check

---> Package bash.x86_64 0:4.1.2-15.el6_4 will be updated

---> Package bash.x86_64 0:4.1.2-15.el6_5.2 will be an update

--> Finished Dependency Resolution


Dependencies Resolved


================================================================================

Package    Arch         Version                Repository                 Size

================================================================================

Updating:

bash       x86_64       4.1.2-15.el6_5.2       rhel-6-desktop-rpms       905 k


Transaction Summary

================================================================================

Upgrade       1 Package(s)


Total download size: 905 k

Is this ok [y/N]: y

Downloading Packages:

bash-4.1.2-15.el6_5.2.x86_64.rpm                         | 905 kB     00:02    
Running rpm_check_debug

Running Transaction Test

Transaction Test Succeeded

Running Transaction

Updating   : bash-4.1.2-15.el6_5.2.x86_64                                 1/2
Cleanup    : bash-4.1.2-15.el6_4.x86_64                                   2/2
rhel-6-desktop-rpms/productid                            | 1.7 kB     00:00    
Verifying  : bash-4.1.2-15.el6_5.2.x86_64                                 1/2
Verifying  : bash-4.1.2-15.el6_4.x86_64                                   2/2

Updated:

bash.x86_64 0:4.1.2-15.el6_5.2                                                


Complete!



Confirmation of Success

[root@localhost ~]# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo

date

cat: /tmp/echo: No such file or directory

[root@localhost tmp]#


On Red Hat based systems, you want to ensure that you have the ".2" release for your respective newer version, as below for my RHEL 6.5 box
[root@localhost tmp]# rpm -qi bash-4.1.2

rpm -qi bash-4.1.2

Name        : bash                         Relocations: (not relocatable)

Version     : 4.1.2                             Vendor: Red Hat, Inc.

Release     : 15.el6_5.2  
                 Build Date: Thu 25 Sep 2014 08:10:26 AM PDT
Install Date: Sun 28 Sep 2014 12:16:27 AM PDT      Build Host: x86-023.build.eng.bos.redhat.com


Results after the first Shellshock Bash release fix -- using my CentOS 6.5 box, which fails the above test (patched after this query).
[bill@localhost tmp]$ rpm -qi bash

Name        : bash                         Relocations: (not relocatable)

Version     : 4.1.2                             Vendor: CentOS

Release     : 15.el6_5.1
                   Build Date: Wed 24 Sep 2014 07:45:54 AM PDT
Install Date: Wed 24 Sep 2014 11:05:39 PM PDT      Build Host: c6b8.bsys.dev.cen


Red Hat Bash Releases with the New Fix (Also Addressing CentOS)

* RHEL 7 - bash-4.2.45-5.el7_0.4
* RHEL 6 - bash-4.1.2-15.el6_5.2
* RHEL 5 - bash-3.2-33.el5_11.4


Additional Mitigation Options

The linked document contains several mitigations if you are waiting for approval to patch, or are unable to patch your servers.
Via Red Hat -- Mitigating the shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169)

Powered by IBM Lotus Domino 8 | Lotus User Group | Get Firefox! | This blog is listed on Planet Lotus   IBM Certified

© 2010 William Malchisky.