Main Edition: BASH vulnerability a.k.a. 'Shellshock'

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics.Please do not add support questions to threads here,use the appropriate support forum instead
User avatar
ktheking
Level 4
Level 4
Posts: 430
Joined: Tue May 13, 2014 9:13 am

Re: should i be worried? CVE-2014-6271 remote exe w/ bash

Postby ktheking » Fri Sep 26, 2014 11:26 am

Check the other threads about this topic first. But in short : NO , if you're on version LM13 or 17 and you do updates.
Otherwise you have to patch manually using the ubuntu guidelines.

User avatar
Pilosopong Tasyo
Level 6
Level 6
Posts: 1418
Joined: Mon Jun 22, 2009 3:26 am
Location: Philippines

Re: BASH vulnerability a.k.a. 'Shellshock'

Postby Pilosopong Tasyo » Fri Sep 26, 2014 12:11 pm

tamone wrote:Maybe I should block bash update to prevent a roll-back of the vulnerable version in the next install update ?

If I understand the way apt-get works, it -- by default -- installs the latest available version only. If an older version in the repo exists and you already have a higher version installed, apt-get isn't going to roll back, unless if you explicitly tell it to install a specific version. Check the apt-get man page for details.
Image
o Give a man a fish and he will eat for a day. Teach him how to fish and he will eat for a lifetime!
o If an issue has been fixed, please edit your first post and add the word [SOLVED].

User avatar
xenopeek
Level 24
Level 24
Posts: 21249
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Recent bash vulnerability and patch questions

Postby xenopeek » Fri Sep 26, 2014 12:29 pm

linx255 wrote:According to NIST, vulnerability CVE-2014-6271 is described: "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution."

csoonline.com says: "An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation. This is fire bad."

I have never knowingly used those features and don't know anything about the environment variables, but my questions are:

1) Is "nefarious" accurate or should they have used "careless" in describing the function "which can enable network exploitation" ? Did they really mean an arbitrary environment variable itself is nefarious? Did the arbitrarily named environment variables originate from bash features or the attacker?
2) Are any of these features used in an automated / background way that I wouldn't necessarily see on my screen? ( I.e. upon boot, or running Update Manager, or some other program )
3) Would attacks have been effective against a machine with SELinux installed with one of the two default configurations? Apparently no authorization was required for the code injection.
4) Should I be asking different questions here?

1) They mean that a remote attacker could do something that would put a "nefarious function" in an environment variable, and get run that way, for certain programs that use bash. They give a few examples of server software, like Apache with mod_cgi, that is vulnerable to this attack (as cgi scripts are often shell scripts, and thus bash if that is the default shell). You using bash as your shell in the terminal isn't the vulnerability; the vulnerability is with your running server software on a port on your computer that is reachable from the Internet (i.e., that you have configured in your broadband modem/router's firewall to be allowed, and on your computer's firewall to be allowed).

On Linux Mint the default shell (sh) is dash, not bash. Scripts for servers are commonly sh scripts, so getting run through dash instead of through bash. The scope of this vulnerability is limited to server programs explicitly using bash for running shell scripts, or shell scripts themselves being declared specifically as bash scripts (a header of #!/bin/bash instead of common #!/bin/sh).

2) Not to my knowledge; if you are a home user and you haven't configured any ports on your computer to be reachable from the Internet then all the services running on your computer are reachable from your own network only. Again, you using bash isn't the vulnerability--server software using bash is.

3) I haven't read it fully (don't have SELinux active), but there is a post on that: http://danwalsh.livejournal.com/71122.html

4) I think you've asked well informed questions.

zdnet has a good article showing what kind of software is affected and which isn't: http://www.zdnet.com/shellshock-how-to- ... 000034072/. But if you have installed level 3 updates through Update Manager, your bash is already patched for both CVE's.
Image

TomRoche
Level 4
Level 4
Posts: 243
Joined: Thu Jan 13, 2011 2:52 pm

'-s' is your friend!

Postby TomRoche » Fri Sep 26, 2014 12:56 pm

tamone wrote:Maybe I should block bash update to prevent a roll-back of the vulnerable version in the next install update ?

Pilosopong Tasyo wrote:If I understand the way apt-get works, it -- by default -- installs the latest available version only. [...] Check the apt-get man page for details.


Actually a better way to check, with either `aptitude` or `apt-get`, is to use the `-s` switch, which means "simulate" or "dry-run": basically, "tell me what you *would* do, but don't actually do it." I *always* use the following workflow:

Code: Select all

sudo aptitude -s do something
# if I decide to do it, use bash commandline editing to change '-s' to 'y'
sudo aptitude -y do something # answers "yes" to the question about whether to proceed


And, to answer tamone's question, if one does

Code: Select all

sudo aptitude -s install bash


or

Code: Select all

sudo aptitude -s full-upgrade


after removing the sid repo (as I did, I used `/etc/apt/sources.d/`) you will see that the new bash installed from sid is not removed, or marked, or otherwise molested.

User avatar
killer de bug
Level 14
Level 14
Posts: 5277
Joined: Tue Jul 08, 2008 1:49 pm
Location: Graz, Austria

Re: BASH vulnerability a.k.a. 'Shellshock'

Postby killer de bug » Fri Sep 26, 2014 1:08 pm

Pilosopong Tasyo wrote:If I understand the way apt-get works, it -- by default -- installs the latest available version only. If an older version in the repo exists and you already have a higher version installed, apt-get isn't going to roll back, unless if you explicitly tell it to install a specific version. Check the apt-get man page for details.


Not exactly. It depends on the priority also. If your repo has a priority too low, a new version will not be installed unless you explicitly choose to do so.
Last edited by killer de bug on Fri Sep 26, 2014 1:22 pm, edited 1 time in total.
Image
If it ain't broke, fix it until it is.

TomRoche
Level 4
Level 4
Posts: 243
Joined: Thu Jan 13, 2011 2:52 pm

Re: BASH vulnerability a.k.a. 'Shellshock'

Postby TomRoche » Fri Sep 26, 2014 1:20 pm

Pilosopong Tasyo wrote:If I understand the way apt-get works, it -- by default -- installs the latest available version only.


killer de bug wrote:If [your] repo has a priority too low, a new version will not be installed unless you explicitly choose to do so.


Package management functionality is now very fine-grained, aka potentially very complex. IMHO, rather than trying to out-think the PM, let it tell you what it wants to do with `-s`.

Habitual
Level 13
Level 13
Posts: 4866
Joined: Sun Nov 21, 2010 8:31 pm

Re: BASH vulnerability a.k.a. 'Shellshock'

Postby Habitual » Fri Sep 26, 2014 2:29 pm

and for those who only want to upgrade bash only:

Code: Select all

apt-get install --only-upgrade bash
Image

pe1800
Level 1
Level 1
Posts: 49
Joined: Wed Feb 05, 2014 4:04 pm

Re: BASH vulnerability a.k.a. 'Shellshock'

Postby pe1800 » Fri Sep 26, 2014 4:03 pm

Habitual wrote:and for those who only want to upgrade bash only:

Code: Select all

apt-get install --only-upgrade bash


I am kind of confused now. I run Mint 16 KDE 64 bit, no server and just for personal use. Cannot change to 17 so quickly, although I intend to eventually.
If, in 16, I apply apt-get install --only-upgrade bash will that fix the vulnerability?

Much appreciate your expert advice,
pe1800

Habitual
Level 13
Level 13
Posts: 4866
Joined: Sun Nov 21, 2010 8:31 pm

Re: BASH vulnerability a.k.a. 'Shellshock'

Postby Habitual » Fri Sep 26, 2014 5:03 pm

pe:

If it will "let" you. I don't know about LM16 repository statuses for users on that release. Sorry.
Someone else will let you know... if and how.

Have a Great Day.
Image

User avatar
killer de bug
Level 14
Level 14
Posts: 5277
Joined: Tue Jul 08, 2008 1:49 pm
Location: Graz, Austria

Re: BASH vulnerability a.k.a. 'Shellshock'

Postby killer de bug » Fri Sep 26, 2014 5:11 pm

LM16 is obsolete and repo are not available anymore. Please read this : viewtopic.php?f=90&t=173378
Image
If it ain't broke, fix it until it is.

420trvlr
Level 1
Level 1
Posts: 3
Joined: Mon Oct 21, 2013 10:34 pm

Re: BASH vulnerability a.k.a. 'Shellshock'

Postby 420trvlr » Fri Sep 26, 2014 6:17 pm

I tried looking for updates and it came back that my system is up to date, however, when I run: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
it still comes back that my system is vulnerable. I have the latest release of Mint (KDE).

tdockery97
Level 14
Level 14
Posts: 5015
Joined: Sun Jan 10, 2010 8:54 am
Location: Salem, Oregon
Contact:

Re: BASH vulnerability a.k.a. 'Shellshock'

Postby tdockery97 » Fri Sep 26, 2014 6:29 pm

@420trvlr: Right-click your Update Manager icon and select Preferences. On the Levels tab make sure that both "Always show security updates" and "Always select and trust security updates" are checked. If these are not checked you are missing out on critical security updates.

NOTE: Checking and installing security updates normally will not break your system. It will NOT upgrade your kernel; it will just apply security patches to the current kernel and system.

User avatar
frisil
Level 3
Level 3
Posts: 132
Joined: Wed Feb 04, 2009 10:24 pm

Re: BASH vulnerability a.k.a. 'Shellshock'

Postby frisil » Sat Sep 27, 2014 1:07 am

Older (obsolete) versions can be patched easily, I just found a way:

regardless of which Ubuntu based system you use, change your sources list to:

Code: Select all

#for bash only update
deb http://de.archive.ubuntu.com/ubuntu trusty main restricted universe multiverse
deb http://de.archive.ubuntu.com/ubuntu trusty-updates main restricted universe multiverse
deb http://de.archive.ubuntu.com/ubuntu trusty-security main restricted universe multiverse
deb http://de.archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse


open a root terminal and execute:

Code: Select all

apt-get update
apt-get install --only-upgrade bash


now change your sources list back to what it was, run "apt-get update" again and you're done! I just tried this on my Mint Olivia and it worked fine.

btw, for those who don't know: It's still possible to install stuff on old versions, even if the original repos are gone, because Ubuntu has these:

Code: Select all

deb http://old-releases.ubuntu.com/ubuntu/ raring main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ raring-updates main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ raring-security main restricted universe multiverse


Not just raring, other obsolete versions, too. But no new security updates, so keep using at your own risk.

User avatar
turtlebay777
Level 5
Level 5
Posts: 551
Joined: Tue Apr 15, 2014 4:56 pm

Re: BASH vulnerability a.k.a. 'Shellshock'

Postby turtlebay777 » Sat Sep 27, 2014 4:25 am

Nice find, Frisil, thank you! I was wondering about my old laptop running Julia (just!). :D

Nah! It didn't work!
Last edited by turtlebay777 on Sat Sep 27, 2014 5:55 am, edited 1 time in total.

User avatar
killer de bug
Level 14
Level 14
Posts: 5277
Joined: Tue Jul 08, 2008 1:49 pm
Location: Graz, Austria

Re: BASH vulnerability a.k.a. 'Shellshock'

Postby killer de bug » Sat Sep 27, 2014 5:12 am

frisil wrote:Older (obsolete) versions can be patched easily, I just found a way:


Could ypu please post the output of

Code: Select all

 apt policy bash

Please do this with your Olivia system.
Image
If it ain't broke, fix it until it is.

User avatar
turtlebay777
Level 5
Level 5
Posts: 551
Joined: Tue Apr 15, 2014 4:56 pm

Re: BASH vulnerability a.k.a. 'Shellshock'

Postby turtlebay777 » Sat Sep 27, 2014 6:01 am

This is the result after following his instructions on Julia

Code: Select all

pete@mint10-64bit-desktop ~ $ apt policy bash
bash:
  Installed: 4.1-2ubuntu4
  Candidate: 4.1-2ubuntu4
  Version table:
 *** 4.1-2ubuntu4 0
        100 /var/lib/dpkg/status

User avatar
killer de bug
Level 14
Level 14
Posts: 5277
Joined: Tue Jul 08, 2008 1:49 pm
Location: Graz, Austria

Re: BASH vulnerability a.k.a. 'Shellshock'

Postby killer de bug » Sat Sep 27, 2014 6:11 am

mouhahahahaha

4.1-2ubuntu4
Superseded in natty-release on 2010-12-13
Obsolete in maverick-release on 2013-03-05

bash (4.1-2ubuntu4) maverick; urgency=low

* debian/skel.bashrc: add 'alert' alias, LP: #616028
-- Dustin Kirkland <email address hidden> Tue, 10 Aug 2010 15:35:08 -0400

Available diffs
diff from 4.1-2ubuntu3 to 4.1-2ubuntu4 (621 bytes)


So please STOP USING OBSOLETE RELEASE. and if you do it, please STOP ADVERTISING IT. IT'S DANGEROUS
Image
If it ain't broke, fix it until it is.

User avatar
turtlebay777
Level 5
Level 5
Posts: 551
Joined: Tue Apr 15, 2014 4:56 pm

Re: BASH vulnerability a.k.a. 'Shellshock'

Postby turtlebay777 » Sat Sep 27, 2014 6:23 am

I didn't advertise it PAL so keep it civil! OK?

Now get off your rocking horse and realise that there are a hell of a lot of people still using older hardware that your precious 13 and 17 won't run on because they are too big and need too much RAM and too fast a cpu!

Unless you fancy releasing something smaller for us?

User avatar
killer de bug
Level 14
Level 14
Posts: 5277
Joined: Tue Jul 08, 2008 1:49 pm
Location: Graz, Austria

Re: BASH vulnerability a.k.a. 'Shellshock'

Postby killer de bug » Sat Sep 27, 2014 6:31 am

frisil wrote:Older (obsolete) versions can be patched easily, I just found a way:

This is advertisement, period! You're not the center of the world. This sentence makes people believe they can fix their obsolete systems and it's wrong. This has nothing to do here and it's dangerous.
Funny to see you deleted your insults... Nice bravery...


turtlebay777 wrote:Unless you fancy releasing something smaller for us?

There are so many GNU/Linux systems doing this, use google and you will find them... And sorry, I don't help people insulting me...
Image
If it ain't broke, fix it until it is.

User avatar
killer de bug
Level 14
Level 14
Posts: 5277
Joined: Tue Jul 08, 2008 1:49 pm
Location: Graz, Austria

Re: BASH vulnerability a.k.a. 'Shellshock'

Postby killer de bug » Sat Sep 27, 2014 6:59 am

By the way, LMDE will be patched as soon as a final patch will be available in Debian Testing.
Source is the team... :wink:
Image
If it ain't broke, fix it until it is.


Return to “Releases & Announcements”

Who is online

Users browsing this forum: No registered users and 6 guests