ICS/Lotus (mostly), Linux, Travel, Skiing, Mixology, and Random Musing of Interest

 
Bill Malchisky
 

Archives

    Find me here…

  • Skype
  • Bleedyellow via Sametime
  • Linux Bash Bug - Shellshock - is Real: Get Patched (AIX, Mac Too)

    Bill Malchisky  September 25 2014 06:00:00 AM
    This is ugly, but fortunately you just have to update to a fixed Bash version and you are fine (for now). No need to reboot your system either. Red Hat is out early on this and escalated this appropriately. Their first round of updates got all but one exploit permutation, so they re-issued another bug identifier and are working to close it soon.

    Their initial timeline: Red Hat announced the bug on 14 Sep, had a proposed upstream patch seven hours later (0500h 15 Sep), backported it to Bash 3.0, 3.1, 3,2, 4.0, 4.1, and 4.2 three days later on 18 Sep; announced the release 1h later and made it public with an updated issue description six hours after that. Pretty impressive. On the 24th, Red Hat provided public documentation on this matter; six hours later it was reported that the fix is missing one exploit, so they are working to resolve that as I write this post. Things move fast in the world of open source.

    Impact Statement
    from Red Hat, provides direct prose for the next two sections. "Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)"

    Abstract Update

    Red Hat has become aware that the patch for
    CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. Red Hat is working on patches in conjunction with the upstream developers as a critical priority.

    How does this impact systems

    This issue affects all products which use the Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.
    All versions prior to those listed as updates for this issue are vulnerable to some degree.


    Test If You Have The Bug

    malchw@san-domino:~/Documents/$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" env x='() { :;}; echo vulnerable' bash -c "echo this is a test"


    Positive Result

    vulnerable

    this is a test


    Negative Result

    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    this is a test


    Notations
    1. Your response may be something similar and be just fine; the difference is getting noise versus a clean response as the positive result indicates
    2. Run this check on any Apple Mac product running OS X, as tests show Macs are vulnerable
    3. Anyone running AIX, Solaris, or HP-UX should also check, as Bash is available on those systems

    Addition - 26 September 2014
    4. Update -- IBM released a patch for Protector that addresses Shellshock; verified by a customer of its success


    Mitigation

    Red Hat's Security Blog has a detailed analysis of which programs utilizing Bash can cause issues and why. "Bash specially-crafted environment variables code injection attack"


    Resolution

    Ideally, you need to be running bash-4.1.2-15 with current RHEL versions. Despite the bug's significance, the fix is really easy.
    RHEL: #yum clean all && yum update bash
    On my older RHEL 5 box: # rpm -Uvh bash-3.2-33.el5.1.i386.rpm

    CentOS: #yum clean all && yum update bash
    Ubuntu: $update-manager -or- $sudo apt-get update

    If you know the version number, you can always specify it too (package name example is for RHEL6.5)
    # yum update bash-4.1.2-15.el6_5.1


    -OR-
    Get the update manually and update the RPM -> https://rhn.redhat.com/rhn/errata/details/Packages.do?eid=27888

    Note
    : the "clean all" parameter above tells yum to clean all cached data, ensuring that bash can be updated more reliably, particularly with older systems; it may be considered optional on current systems


    Distro Provided Resolution Documents

    CentOS posted a document on the exploit and obtaining fixes through their list serv, "[CentOS] Critical update for bash released today."
    Red Hat's is here: "Resolution for Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) in Red Hat Enterprise Linux"
    Novell/SUSE; bug report with patches here
    Debian
    Ubuntu

    Example Output - CentOS 6.5

    [root@localhost ~]# yum clean all && yum update bash

    Loaded plugins: fastestmirror, refresh-packagekit, security

    Cleaning repos: base extras updates

    Cleaning up Everything

    Cleaning up list of fastest mirrors

    Loaded plugins: fastestmirror, refresh-packagekit, security

    Determining fastest mirrors

    * base: centos.chi.host-engine.com

    * extras: cosmos.cites.illinois.edu

    * updates: mirror.atlanticmetro.net

    base                                                     | 3.7 kB     00:00    
    base/primary_db                                          | 4.4 MB     00:05    
    extras                                                   | 3.3 kB     00:00    
    extras/primary_db                                        |  19 kB     00:00    
    updates                                                  | 3.4 kB     00:00    
    updates/primary_db                                       | 5.3 MB     00:06    
    Setting up Update Process

    Loaded plugins: fastestmirror, refresh-packagekit, security

    Loading mirror speeds from cached hostfile

    * base: mirrors.lga7.us.voxel.net

    * extras: mirror.es.its.nyu.edu

    * updates: centos.aol.com

    Setting up Update Process

    Resolving Dependencies

    --> Running transaction check

    ---> Package bash.x86_64 0:4.1.2-15.el6_4 will be updated

    ---> Package bash.x86_64 0:4.1.2-15.el6_5.1 will be an update

    --> Finished Dependency Resolution


    Dependencies Resolved

    ================================================================================

    Package       Arch            Version                   Repository        Size

    ================================================================================

    Updating:

    bash          x86_64          4.1.2-15.el6_5.1          updates          905 k


    Transaction Summary

    ================================================================================

    Upgrade       1 Package(s)


    Total download size: 905 k

    Is this ok [y/N]: y

    Downloading Packages:

    bash-4.1.2-15.el6_5.1.x86_64.rpm                         | 905 kB     00:00    
    Running rpm_check_debug

    Running Transaction Test

    Transaction Test Succeeded

    Running Transaction

    Updating   : bash-4.1.2-15.el6_5.1.x86_64                                 1/2
    Cleanup    : bash-4.1.2-15.el6_4.x86_64                                   2/2
    Verifying  : bash-4.1.2-15.el6_5.1.x86_64                                 1/2
    Verifying  : bash-4.1.2-15.el6_4.x86_64                                   2/2

    Updated:

    bash.x86_64 0:4.1.2-15.el6_5.1                                                


    Complete!



    Quick and Dirty Work-around
    , provided by Jake DePoy
    # iptables --append INPUT -m string --algo kmp --hex-string '|28 29 20 7B|' --jump DROP


    The Red Hat Customer Portal indicates the risk with the above work-around,
    "Is not a good option because the attacker can easily send one or two characters per packet and avoid this signature easily. However, it may provide an overview of automated attempts at exploiting this vulnerability."
    Comments

    1Richard Moy  9/25/2014 9:48:42 AM  Linux Bash Bug - Shellshock - is Real: Get Patched (AIX, Mac Too)

    The open source community is great. So fast of a response. My biggest concern is not the desktops or servers, but the embedded devices, IoT, since there may not be a way to update these devices. So Internet of Things is scarely.

    2Frank van der LInden  9/26/2014 2:12:07 AM  Linux Bash Bug - Shellshock - is Real: Get Patched (AIX, Mac Too)

    HI Bill,

    Thanks for the head up. I managed to fix my Mac by the instructions on this website

    { Link }

    3oneliner  9/26/2014 10:59:26 AM  Linux Bash Bug - Shellshock - is Real: Get Patched (AIX, Mac Too)

    That IP tables rule will do nothing if the packets are sent over an encrypted connection eg: ssh,https,etc. Something that has worked on my servers (some of them at least) is to link /bin/bash to /bin/dash and rename the original /bin/bash to something else and set root's shell to that. This only works as long as you don't have services depending on bash functionality.

    4Bill Malchisky  9/29/2014 12:38:14 AM  Linux Bash Bug - Shellshock - is Real: Get Patched (AIX, Mac Too)

    @1 - Agreed. People do not know how pervasive Linux is. Fortunately, lighter weight builds can use other shells, but no way to know this in one's respective device/case.

    @2 - Thanks, Frank. Added it to the updated blog post released today.

    @3 - Correct on the side-effect of the work-around. Hence my disclosure and monicker. I like your solution. Updating Bash is simple enough, but for some who have complext change management processes in-place, is why I offered this as a short-term option until patches are applied.

    Thank you for the comments.

    5Mathieu Pape  9/29/2014 5:58:22 AM  Linux Bash Bug - Shellshock - is Real: Get Patched (AIX, Mac Too)

    Hi Bill,

    Just to mention that on the Protector side, there is a new update available today that supersedes the one of Friday.

    S | Repository | Name | Current Version | Available Version | Arch

    --+--------------+--------------+-----------------+-------------------+-----

    v | IBM_PACKAGES | bash | 3.2-147.20.1 | 3.2-147.22.1 | i586

    v | IBM_PACKAGES | bash-doc | 3.2-147.20.1 | 3.2-147.22.1 | i586

    v | IBM_PACKAGES | libreadline5 | 5.2-147.20.1 | 5.2-147.22.1 | i586

    Best regards,

    Mathieu

    Powered by IBM Lotus Domino 8 | Lotus User Group | Get Firefox! | This blog is listed on Planet Lotus   IBM Certified

    © 2010 William Malchisky.