ICS/Lotus (mostly), Linux, Travel, Skiing, Mixology, and Random Musing of Interest

Linux Bash Bug - Shellshock - is Real: Get Patched (AIX, Mac Too)

Bill Malchisky  September 25 2014 06:00:00 AM
This is ugly, but fortunately you just have to update to a fixed Bash version and you are fine (for now). No need to reboot your system either. Red Hat is out early on this and escalated this appropriately. Their first round of updates got all but one exploit permutation, so they re-issued another bug identifier and are working to close it soon.

Their initial timeline: Red Hat announced the bug on 14 Sep, had a proposed upstream patch seven hours later (0500h 15 Sep), backported it to Bash 3.0, 3.1, 3,2, 4.0, 4.1, and 4.2 three days later on 18 Sep; announced the release 1h later and made it public with an updated issue description six hours after that. Pretty impressive. On the 24th, Red Hat provided public documentation on this matter; six hours later it was reported that the fix is missing one exploit, so they are working to resolve that as I write this post. Things move fast in the world of open source.

Impact Statement
from Red Hat, provides direct prose for the next two sections. "Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)"

Abstract Update

Red Hat has become aware that the patch for
CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. Red Hat is working on patches in conjunction with the upstream developers as a critical priority.

How does this impact systems

This issue affects all products which use the Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.
All versions prior to those listed as updates for this issue are vulnerable to some degree.


Test If You Have The Bug

malchw@san-domino:~/Documents/$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" env x='() { :;}; echo vulnerable' bash -c "echo this is a test"


Positive Result

vulnerable

this is a test


Negative Result

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test


Notations
1. Your response may be something similar and be just fine; the difference is getting noise versus a clean response as the positive result indicates
2. Run this check on any Apple Mac product running OS X, as tests show Macs are vulnerable
3. Anyone running AIX, Solaris, or HP-UX should also check, as Bash is available on those systems

Addition - 26 September 2014
4. Update -- IBM released a patch for Protector that addresses Shellshock; verified by a customer of its success


Mitigation

Red Hat's Security Blog has a detailed analysis of which programs utilizing Bash can cause issues and why. "Bash specially-crafted environment variables code injection attack"


Resolution

Ideally, you need to be running bash-4.1.2-15 with current RHEL versions. Despite the bug's significance, the fix is really easy.
RHEL: #yum clean all && yum update bash
On my older RHEL 5 box: # rpm -Uvh bash-3.2-33.el5.1.i386.rpm

CentOS: #yum clean all && yum update bash
Ubuntu: $update-manager -or- $sudo apt-get update

If you know the version number, you can always specify it too (package name example is for RHEL6.5)
# yum update bash-4.1.2-15.el6_5.1


-OR-
Get the update manually and update the RPM -> https://rhn.redhat.com/rhn/errata/details/Packages.do?eid=27888

Note
: the "clean all" parameter above tells yum to clean all cached data, ensuring that bash can be updated more reliably, particularly with older systems; it may be considered optional on current systems


Distro Provided Resolution Documents

CentOS posted a document on the exploit and obtaining fixes through their list serv, "[CentOS] Critical update for bash released today."
Red Hat's is here: "Resolution for Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) in Red Hat Enterprise Linux"
Novell/SUSE; bug report with patches here
Debian
Ubuntu

Example Output - CentOS 6.5

[root@localhost ~]# yum clean all && yum update bash

Loaded plugins: fastestmirror, refresh-packagekit, security

Cleaning repos: base extras updates

Cleaning up Everything

Cleaning up list of fastest mirrors

Loaded plugins: fastestmirror, refresh-packagekit, security

Determining fastest mirrors

* base: centos.chi.host-engine.com

* extras: cosmos.cites.illinois.edu

* updates: mirror.atlanticmetro.net

base                                                     | 3.7 kB     00:00    
base/primary_db                                          | 4.4 MB     00:05    
extras                                                   | 3.3 kB     00:00    
extras/primary_db                                        |  19 kB     00:00    
updates                                                  | 3.4 kB     00:00    
updates/primary_db                                       | 5.3 MB     00:06    
Setting up Update Process

Loaded plugins: fastestmirror, refresh-packagekit, security

Loading mirror speeds from cached hostfile

* base: mirrors.lga7.us.voxel.net

* extras: mirror.es.its.nyu.edu

* updates: centos.aol.com

Setting up Update Process

Resolving Dependencies

--> Running transaction check

---> Package bash.x86_64 0:4.1.2-15.el6_4 will be updated

---> Package bash.x86_64 0:4.1.2-15.el6_5.1 will be an update

--> Finished Dependency Resolution


Dependencies Resolved

================================================================================

Package       Arch            Version                   Repository        Size

================================================================================

Updating:

bash          x86_64          4.1.2-15.el6_5.1          updates          905 k


Transaction Summary

================================================================================

Upgrade       1 Package(s)


Total download size: 905 k

Is this ok [y/N]: y

Downloading Packages:

bash-4.1.2-15.el6_5.1.x86_64.rpm                         | 905 kB     00:00    
Running rpm_check_debug

Running Transaction Test

Transaction Test Succeeded

Running Transaction

Updating   : bash-4.1.2-15.el6_5.1.x86_64                                 1/2
Cleanup    : bash-4.1.2-15.el6_4.x86_64                                   2/2
Verifying  : bash-4.1.2-15.el6_5.1.x86_64                                 1/2
Verifying  : bash-4.1.2-15.el6_4.x86_64                                   2/2

Updated:

bash.x86_64 0:4.1.2-15.el6_5.1                                                


Complete!



Quick and Dirty Work-around
, provided by Jake DePoy
# iptables --append INPUT -m string --algo kmp --hex-string '|28 29 20 7B|' --jump DROP


The Red Hat Customer Portal indicates the risk with the above work-around,
"Is not a good option because the attacker can easily send one or two characters per packet and avoid this signature easily. However, it may provide an overview of automated attempts at exploiting this vulnerability."
Comments

1Richard Moy  9/25/14 9:48:42 AM  Linux Bash Bug - Shellshock - is Real: Get Patched (AIX, Mac Too)

The open source community is great. So fast of a response. My biggest concern is not the desktops or servers, but the embedded devices, IoT, since there may not be a way to update these devices. So Internet of Things is scarely.

2Frank van der LInden  9/26/14 2:12:07 AM  Linux Bash Bug - Shellshock - is Real: Get Patched (AIX, Mac Too)

HI Bill,

Thanks for the head up. I managed to fix my Mac by the instructions on this website

{ Link }

3oneliner  9/26/14 10:59:26 AM  Linux Bash Bug - Shellshock - is Real: Get Patched (AIX, Mac Too)

That IP tables rule will do nothing if the packets are sent over an encrypted connection eg: ssh,https,etc. Something that has worked on my servers (some of them at least) is to link /bin/bash to /bin/dash and rename the original /bin/bash to something else and set root's shell to that. This only works as long as you don't have services depending on bash functionality.

4Bill Malchisky  9/29/14 12:38:14 AM  Linux Bash Bug - Shellshock - is Real: Get Patched (AIX, Mac Too)

@1 - Agreed. People do not know how pervasive Linux is. Fortunately, lighter weight builds can use other shells, but no way to know this in one's respective device/case.

@2 - Thanks, Frank. Added it to the updated blog post released today.

@3 - Correct on the side-effect of the work-around. Hence my disclosure and monicker. I like your solution. Updating Bash is simple enough, but for some who have complext change management processes in-place, is why I offered this as a short-term option until patches are applied.

Thank you for the comments.

5Mathieu Pape  9/29/14 5:58:22 AM  Linux Bash Bug - Shellshock - is Real: Get Patched (AIX, Mac Too)

Hi Bill,

Just to mention that on the Protector side, there is a new update available today that supersedes the one of Friday.

S | Repository | Name | Current Version | Available Version | Arch

--+--------------+--------------+-----------------+-------------------+-----

v | IBM_PACKAGES | bash | 3.2-147.20.1 | 3.2-147.22.1 | i586

v | IBM_PACKAGES | bash-doc | 3.2-147.20.1 | 3.2-147.22.1 | i586

v | IBM_PACKAGES | libreadline5 | 5.2-147.20.1 | 5.2-147.22.1 | i586

Best regards,

Mathieu

Powered by IBM Lotus Domino 8 | Lotus User Group | Get Firefox! | This blog is listed on Planet Lotus   IBM Certified

© 2010 William Malchisky.