Main Edition: BASH vulnerability a.k.a. 'Shellshock'

[Jo4]

Any advice to Linux users to defend against 'Bash' virus

[monkeyboy]

I don't worry about it. I keep my security updates current, watch what gets downloaded and what gets run. While that doesn’t guarantee safety I have yet to get stung with that approach.

[eanfrid]

What are you talking about ? There is no such virus.

[Habitual]

Any advice to Linux users to defend against 'Bash' virus

as stated, stay updated. Also it is not a virus, it's a vulnerability.

[karlchen]

Any advice to Linux users to defend against 'Bash' virus

You might like to start by reading this thread: Main Edition: BASH vulnerability a.k.a. 'Shellshock'
And as has already been pointed out: there is no bash virus, rather, unpatched bash versions are vulnerable to a particular kind of attack.

[Jo4]

Appologies for not spotting this as a topic already being aired.

Jo

[karlchen]

Info:
Next round of bash updates for Mint 13 and Mint 17, first thread post updated correspondingly.

Note:
The most recent bash on Mint 13 x64, bash (4.2-2ubuntu2.6), and the most recent bash on Mint 17 x64, bash (4.3-7ubuntu1.5), passed all 7 tests here: What is #shellshock?. Whether this really means that now bash has been fully secured, time will tell ...

[Spearmint2]

Here's what you get if not running a server and are behind a router.

Warning Are you sure that host exists? We couldn't talk to it. Maybe it timed out? Took longer than 3 seconds to get a reply.

So, no problems here.

[ktheking]

Some nice links showing the problematic of the shellshock bug :

http://blog.cloudflare.com/inside-shellshock/
http://ow.ly/C9FgX (or http://netmonastery.com/en/shellshock-t ... inkposting )

This one’s a must to read  : http://www.tripwire.com/state-of-Sucuri ... nt-future/ => … identifying exploit attempts made against Apache targeting Shellshock vulnerabilities….

Of course this whole shellshock saga is only important for those people that have publicly running services such as http,ftp servers.
Most people who use Linux Mint only for local desktop activities ,and have no running open servers are not to be bothered about this.

[karlchen]

Of course this whole shellshock saga is only important for those people that have publicly running services such as http,ftp servers.

Though there may be no need to panic for most home users, it will not do any harm updating bash to the bugfixed version.

[turtlebay777]

Most people who use Linux Mint only for local desktop activities ,and have no running open servers are not to be bothered about this.

Wish we'd been told this weeks ago, would have saved a lot of worry!

[karlchen]

Well, on the one hand niowluka mentioned

From the reports in the media the vulnerability existed for a while, there are no known existing exploits and it's the webservers that are most at risk.

on September 25th. (page 1 of our little thread).
On the other hand spending a few thoughts on securing your system by installing available security patches in a timely fashion will have done no harm.

And last, but not least, now that the vulnerabilities in unpatched bash versions have been made public, who can foretell whether some evil minded, but skilled developers will not find a way of bringing exploits for the vulnerabilities to machines as well which do not run web servers?

[Pilosopong Tasyo]

Wish we'd been told this weeks ago, would have saved a lot of worry!

Put things in perspective.

The earliest report in this forum (that I know of) started last September 25th (my time). By the next day, I noticed a trend -- several threads of the same theme were being posted all over the forum (so much for following the first forum rule ). That's when I decided to initially merge all the related threads I could find (at the time I merged 10 similar topics) into this megathread that you're reading right now. The announcement was released and made global. On that same date (the 26th my time), xenopeek added summary information for everyone's perusal. We, forum admins and mods made sure we update the announcement as we get the latest information made available to us.

You may have not noticed it, but if you read the first post in this thread, information about home users who don't run servers exposed to the internet was included. IMSMR, that piece of information was made available within the same day (if not the day after or so) when the announcement was released.

[daveinuk]

Most people who use Linux Mint only for local desktop activities ,and have no running open servers are not to be bothered about this.

Wish we'd been told this weeks ago, would have saved a lot of worry!

Every time an 'issue' like this rears it's head the first question I start asking is 'how does/does this even affect the average desktop user' and in the last 5 years of my use no one has yet told me I have grave concerns that should bother me, I don't fall for the sensationalism that gets through to the Tv and assorted so called 'media', one Linux hiccup every blue moon and it makes the papers and the BBC, as though the only tech news is that open source = scary things to be wary of, yet MS has regular problems that no one ever hears about, online services getting hacked and peoples intimate pictures getting shared worldwide doesn't get as much attention as 1 vulnerability in a long time that got patched even before half of the public had a clue they had something new to 'worry about' while they were eating their branflakes one day . . . . . No, worry is one thing I stopped bothering with when I decided to completely drop MS/Google/Android et al . . . . . .

[turtlebay777]

What I don't understand is the message which appears when you try to use apt-get remove bash (or whatever is should read) that bash is an important part of the system and by removing it you risk breaking your system.

Then we are told here that bash is unimportant on most desktop users systems except for those running open servers!

Which one is true?

[killer de bug]

No one has ever said bash was unimportant...

[turtlebay777]

No one has ever said bash was unimportant...

This user DID!

Re: Main Edition: BASH vulnerability a.k.a. 'Shellshock'
Post by ktheking on Fri Oct 10, 2014 1:43 pm

http://forums.linuxmint.com/viewtopic.p ... 93#p934106


Also Karlchen did on this URL http://forums.linuxmint.com/viewtopic.p ... 93#p934129

[karlchen]

Hello, turtlebay777.

killer de bug is absolutely right. No-one has ever said that the bash were unimportant. In particular, neither ktheking, nor me.
The bash is the default user's commandline shell on a lot of Linux systems. So it is important.
What we said was that the bash vulnerabilities exposed server machines to greater dangers than home users.

You see the difference? bash is important. The vulnerability is bad. But at present the exploits target web servers primarily, not home user machines. Nonetheless, the bash patches should be installed. Period.

Kind regards,
Karl

[acerimusdux]

What I don't understand is the message which appears when you try to use apt-get remove bash (or whatever is should read) that bash is an important part of the system and by removing it you risk breaking your system.

What I read was that bash is not the default shell on Mint, meaning when "sh" is called, that calls another shell called dash. So that makes Mint a little less vulnerable. But, there are still at least 100 scripts which call bash directly, and in addition it is still the default login shell. Meaning, unless you configured a user otherwise manually, if you open a terminal, you are running bash. To test this, open a terminal and run "ps" and you should get something like this:

PID TTY TIME CMD
22256 pts/2 00:00:00 bash
22537 pts/2 00:00:00 ps

So yes it's still important.

But the vulnerability also required that an attacker be able to set an evironment variable with a nefarious function definition. There isn't an easy way for that to happen on a desktop. When I run "printenv" in that terminal, I find there are only 41 environment variables set, and they all seem to be used for system configuration. And none of them define any functions. Information is not stored in those variables for example, by my browser when I surf the web, or when I read an email.

So long as you are not running a program which saves externally input data into an environment variable, you're fine even runnning an old bash version.

The main thing though is to always run an updated system anyway. There always going to be bugs, which will ususally get fixed quickly when discovered, which will usually be before anyone has figured out how to exploit them.

[turtlebay777]

Hello, turtlebay777.

killer de bug is absolutely right. No-one has ever said that the bash were unimportant. In particular, neither ktheking, nor me.
The bash is the default user's commandline shell on a lot of Linux systems. So it is important.
What we said was that the bash vulnerabilities exposed server machines to greater dangers than home users.

You see the difference? bash is important. The vulnerability is bad. But at present the exploits target web servers primarily, not home user machines. Nonetheless, the bash patches should be installed. Period.

Kind regards,
Karl

So when ktheking stated " Of course this whole shellshock saga is only important for those people that have publicly running services such as http,ftp servers.", you are saying he was wrong?

No I don't see the difference, a statement is either right or wrong. If as you assert, "In particular, neither ktheking, ..." then either he is right or wrong.

I am an English speaker from birth so it is my mother tongue, so there can be nothing lost in translation.

Other Linux sites have said that bash is not used for anything other than servers too. As I'm not running a server what is bash being used for?

"Most people who use Linux Mint only for local desktop activities ,and have no running open servers are not to be bothered about this".

This statement is also wrong?

I'm not looking for an argument, I'm trying to understand why someone has posted apparently wrong info here which had not been deleted or amended by the admins.