Shellshock bug and other BASH vulnerabilities - (CVE-2014-6271, CVE-2014-7169, ...)

Avatar
Admin
Follow

Common Vulnerabilities and Exposures (CVE):

    •    CVE-2014-6271 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

    •    CVE-2014-7169 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

What is Bash?

Bash, or bourne-again shell, is the default shell in Ubuntu. When you are interfacing with the terminal (either through the terminal emulator, over a tty, or ssh), you are generally typing commands that bash will read and execute. Even if you do not use the terminal at all, you still have Bash. (Source: http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-and-how-do-i-fix-it

Description:

The original discovered vulnerability (CVE-2014-6271) was related to the flaw found in the bash functionality that evaluates specially formatted environment variables passed to it from another environment. An attacker could use this feature to override or bypass restrictions to the environment to execute shell commands before restrictions have been applied. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.

Additional vulnerabilities have been published afterward (See Common Vulnerabilities and Exposures (CVE): above)

How does the exploit affect me?

In addition to the external references below, Read the section "How does the exploit affect me? http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-and-how-do-i-fix-it 

Affected Systems:

1- Ubuntuhttp://www.ubuntu.com/usn/usn-2362-1/

2- CentOS: Versions 5,6,7: http://lists.centos.org/pipermail/centos/2014-September/146099.html 

3- Debianhttps://security-tracker.debian.org/tracker/CVE-2014-6271

4- MacOshttp://alblue.bandlem.com/2014/09/bash-remote-vulnerability.html

Steps to reproduce the problem

Execute the following command (Recommended):

for i in `type -a bash| egrep -o "/.*"`; do /bin/echo -n "$i " ; x="() { :; };t=un" $i -c 'echo  is ${t}safe' 2>/dev/null; done

Or this one:

 env x='() { :;}; echo vulnerable' bash -c "echo hello"

 - If your system is vulnerable, the output will be:

vulnerable
hello

- If your system is not vulnerable, the output will be:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for`x'
hello

For CVE-2014-7169

Execute the following command:

cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo

- If your system is vulnerable, the output will be:

   # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
   bash: x: line 1: syntax error near unexpected token `='
   bash: x: line 1: `'
   bash: error importing function definition for `x'
   Fri Sep 26 09:53:04 EDT 2014

- If your system is not vulnerable, the output will be:

   # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
   date
   cat: /tmp/echo: No such file or directory

 

Resolution:

If you are not able to update the vulnerable bash package using the command below (ex: old operating system version, ...), please communicate with our technical support team.

 

1- Ubuntu:   http://www.ubuntu.com/usn/usn-2362-1/

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

You can check your package version by using the command:

dpkg -s bash | grep Version

Update your packages list and install the new version of the bash package:

sudo apt-get update && sudo apt-get install bash

 

2- CentOS:

Check the version of your bash package:

rpm -qa bash 

Update your bash package:

yum update bash

3- Debianhttps://security-tracker.debian.org/tracker/CVE-2014-6271 

Update the packages list and install the latest version of bash:

sudo apt-get update && sudo apt-get install bash

 

4- MacOS: Follow the instructions: http://alblue.bandlem.com/2014/09/bash-remote-vulnerability.html

References:

- CVE-2014-6271 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
- CVE-2014-7169 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
- CVE-2014-7186  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186
- CVE-2014-7187 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187
- CVE-2014-6277 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277
- CVE-2014-6278 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278
- https://github.com/hannob/bashcheck

Additional details are available: http://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-21050/year-2014/GNU-Bash.html 

 

0 Comments

Article is closed for comments.
Powered by Zendesk