Main Edition: BASH vulnerability a.k.a. 'Shellshock'

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
Post Reply
ktheking

Re: should i be worried? CVE-2014-6271 remote exe w/ bash

Post by ktheking »

Check the other threads about this topic first. But in short : NO , if you're on version LM13 or 17 and you do updates.
Otherwise you have to patch manually using the ubuntu guidelines.
User avatar
Pilosopong Tasyo
Level 6
Level 6
Posts: 1432
Joined: Mon Jun 22, 2009 3:26 am
Location: Philippines

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by Pilosopong Tasyo »

tamone wrote:Maybe I should block bash update to prevent a roll-back of the vulnerable version in the next install update ?
If I understand the way apt-get works, it -- by default -- installs the latest available version only. If an older version in the repo exists and you already have a higher version installed, apt-get isn't going to roll back, unless if you explicitly tell it to install a specific version. Check the apt-get man page for details.
o Give a man a fish and he will eat for a day. Teach him how to fish and he will eat for a lifetime!
o If an issue has been fixed, please edit your first post and add the word [SOLVED].
User avatar
xenopeek
Level 25
Level 25
Posts: 29506
Joined: Wed Jul 06, 2011 3:58 am

Re: Recent bash vulnerability and patch questions

Post by xenopeek »

linx255 wrote:According to NIST, vulnerability CVE-2014-6271 is described: "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution."

csoonline.com says: "An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation. This is fire bad."

I have never knowingly used those features and don't know anything about the environment variables, but my questions are:

1) Is "nefarious" accurate or should they have used "careless" in describing the function "which can enable network exploitation" ? Did they really mean an arbitrary environment variable itself is nefarious? Did the arbitrarily named environment variables originate from bash features or the attacker?
2) Are any of these features used in an automated / background way that I wouldn't necessarily see on my screen? ( I.e. upon boot, or running Update Manager, or some other program )
3) Would attacks have been effective against a machine with SELinux installed with one of the two default configurations? Apparently no authorization was required for the code injection.
4) Should I be asking different questions here?
1) They mean that a remote attacker could do something that would put a "nefarious function" in an environment variable, and get run that way, for certain programs that use bash. They give a few examples of server software, like Apache with mod_cgi, that is vulnerable to this attack (as cgi scripts are often shell scripts, and thus bash if that is the default shell). You using bash as your shell in the terminal isn't the vulnerability; the vulnerability is with your running server software on a port on your computer that is reachable from the Internet (i.e., that you have configured in your broadband modem/router's firewall to be allowed, and on your computer's firewall to be allowed).

On Linux Mint the default shell (sh) is dash, not bash. Scripts for servers are commonly sh scripts, so getting run through dash instead of through bash. The scope of this vulnerability is limited to server programs explicitly using bash for running shell scripts, or shell scripts themselves being declared specifically as bash scripts (a header of #!/bin/bash instead of common #!/bin/sh).

2) Not to my knowledge; if you are a home user and you haven't configured any ports on your computer to be reachable from the Internet then all the services running on your computer are reachable from your own network only. Again, you using bash isn't the vulnerability--server software using bash is.

3) I haven't read it fully (don't have SELinux active), but there is a post on that: http://danwalsh.livejournal.com/71122.html

4) I think you've asked well informed questions.

zdnet has a good article showing what kind of software is affected and which isn't: http://www.zdnet.com/shellshock-how-to- ... 000034072/. But if you have installed level 3 updates through Update Manager, your bash is already patched for both CVE's.
Image
TomRoche

'-s' is your friend!

Post by TomRoche »

tamone wrote:Maybe I should block bash update to prevent a roll-back of the vulnerable version in the next install update ?
Pilosopong Tasyo wrote:If I understand the way apt-get works, it -- by default -- installs the latest available version only. [...] Check the apt-get man page for details.
Actually a better way to check, with either `aptitude` or `apt-get`, is to use the `-s` switch, which means "simulate" or "dry-run": basically, "tell me what you *would* do, but don't actually do it." I *always* use the following workflow:

Code: Select all

sudo aptitude -s do something
# if I decide to do it, use bash commandline editing to change '-s' to 'y'
sudo aptitude -y do something # answers "yes" to the question about whether to proceed
And, to answer tamone's question, if one does

Code: Select all

sudo aptitude -s install bash
or

Code: Select all

sudo aptitude -s full-upgrade
after removing the sid repo (as I did, I used `/etc/apt/sources.d/`) you will see that the new bash installed from sid is not removed, or marked, or otherwise molested.
killer de bug

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by killer de bug »

Pilosopong Tasyo wrote: If I understand the way apt-get works, it -- by default -- installs the latest available version only. If an older version in the repo exists and you already have a higher version installed, apt-get isn't going to roll back, unless if you explicitly tell it to install a specific version. Check the apt-get man page for details.
Not exactly. It depends on the priority also. If your repo has a priority too low, a new version will not be installed unless you explicitly choose to do so.
Last edited by killer de bug on Fri Sep 26, 2014 1:22 pm, edited 1 time in total.
TomRoche

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by TomRoche »

Pilosopong Tasyo wrote:If I understand the way apt-get works, it -- by default -- installs the latest available version only.
killer de bug wrote:If [your] repo has a priority too low, a new version will not be installed unless you explicitly choose to do so.
Package management functionality is now very fine-grained, aka potentially very complex. IMHO, rather than trying to out-think the PM, let it tell you what it wants to do with `-s`.
Habitual

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by Habitual »

and for those who only want to upgrade bash only:

Code: Select all

apt-get install --only-upgrade bash
pe1800
Level 2
Level 2
Posts: 54
Joined: Wed Feb 05, 2014 4:04 pm
Location: Toronto Canada

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by pe1800 »

Habitual wrote:and for those who only want to upgrade bash only:

Code: Select all

apt-get install --only-upgrade bash
I am kind of confused now. I run Mint 16 KDE 64 bit, no server and just for personal use. Cannot change to 17 so quickly, although I intend to eventually.
If, in 16, I apply apt-get install --only-upgrade bash will that fix the vulnerability?

Much appreciate your expert advice,
pe1800
Habitual

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by Habitual »

pe:

If it will "let" you. I don't know about LM16 repository statuses for users on that release. Sorry.
Someone else will let you know... if and how.

Have a Great Day.
killer de bug

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by killer de bug »

LM16 is obsolete and repo are not available anymore. Please read this : http://forums.linuxmint.com/viewtopic.php?f=90&t=173378
420trvlr

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by 420trvlr »

I tried looking for updates and it came back that my system is up to date, however, when I run: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
it still comes back that my system is vulnerable. I have the latest release of Mint (KDE).
User avatar
tdockery97
Level 14
Level 14
Posts: 5058
Joined: Sun Jan 10, 2010 8:54 am
Location: Mt. Angel, Oregon

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by tdockery97 »

@420trvlr: Right-click your Update Manager icon and select Preferences. On the Levels tab make sure that both "Always show security updates" and "Always select and trust security updates" are checked. If these are not checked you are missing out on critical security updates.

NOTE: Checking and installing security updates normally will not break your system. It will NOT upgrade your kernel; it will just apply security patches to the current kernel and system.
Mint Cinnamon 20.1
frisil
Level 3
Level 3
Posts: 146
Joined: Wed Feb 04, 2009 10:24 pm

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by frisil »

Older (obsolete) versions can be patched easily, I just found a way:

regardless of which Ubuntu based system you use, change your sources list to:

Code: Select all

#for bash only update 
deb http://de.archive.ubuntu.com/ubuntu trusty main restricted universe multiverse 
deb http://de.archive.ubuntu.com/ubuntu trusty-updates main restricted universe multiverse 
deb http://de.archive.ubuntu.com/ubuntu trusty-security main restricted universe multiverse 
deb http://de.archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse 
open a root terminal and execute:

Code: Select all

apt-get update 
apt-get install --only-upgrade bash 
now change your sources list back to what it was, run "apt-get update" again and you're done! I just tried this on my Mint Olivia and it worked fine.

btw, for those who don't know: It's still possible to install stuff on old versions, even if the original repos are gone, because Ubuntu has these:

Code: Select all

deb http://old-releases.ubuntu.com/ubuntu/ raring main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ raring-updates main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ raring-security main restricted universe multiverse
Not just raring, other obsolete versions, too. But no new security updates, so keep using at your own risk.
turtlebay777

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by turtlebay777 »

Nice find, Frisil, thank you! I was wondering about my old laptop running Julia (just!). :D

Nah! It didn't work!
Last edited by turtlebay777 on Sat Sep 27, 2014 5:55 am, edited 1 time in total.
killer de bug

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by killer de bug »

frisil wrote:Older (obsolete) versions can be patched easily, I just found a way:
Could ypu please post the output of

Code: Select all

 apt policy bash

Please do this with your Olivia system.
turtlebay777

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by turtlebay777 »

This is the result after following his instructions on Julia

Code: Select all

pete@mint10-64bit-desktop ~ $ apt policy bash
bash:
  Installed: 4.1-2ubuntu4
  Candidate: 4.1-2ubuntu4
  Version table:
 *** 4.1-2ubuntu4 0
        100 /var/lib/dpkg/status
killer de bug

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by killer de bug »

mouhahahahaha
4.1-2ubuntu4
Superseded in natty-release on 2010-12-13
Obsolete in maverick-release on 2013-03-05

bash (4.1-2ubuntu4) maverick; urgency=low

* debian/skel.bashrc: add 'alert' alias, LP: #616028
-- Dustin Kirkland <email address hidden> Tue, 10 Aug 2010 15:35:08 -0400

Available diffs
diff from 4.1-2ubuntu3 to 4.1-2ubuntu4 (621 bytes)
So please STOP USING OBSOLETE RELEASE. and if you do it, please STOP ADVERTISING IT. IT'S DANGEROUS
turtlebay777

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by turtlebay777 »

I didn't advertise it PAL so keep it civil! OK?

Now get off your rocking horse and realise that there are a hell of a lot of people still using older hardware that your precious 13 and 17 won't run on because they are too big and need too much RAM and too fast a cpu!

Unless you fancy releasing something smaller for us?
killer de bug

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by killer de bug »

frisil wrote:Older (obsolete) versions can be patched easily, I just found a way:
This is advertisement, period! You're not the center of the world. This sentence makes people believe they can fix their obsolete systems and it's wrong. This has nothing to do here and it's dangerous.
Funny to see you deleted your insults... Nice bravery...

turtlebay777 wrote: Unless you fancy releasing something smaller for us?
There are so many GNU/Linux systems doing this, use google and you will find them... And sorry, I don't help people insulting me...
killer de bug

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by killer de bug »

By the way, LMDE will be patched as soon as a final patch will be available in Debian Testing.
Source is the team... :wink:
Post Reply

Return to “Releases & Announcements”