Page 3 of 10

Re: Vulnerability in Bash

Posted: Thu Sep 25, 2014 12:13 pm
by Ubulindy
I added this: deb http://ftp.us.debian.org/debian sid main I updated the cache and it failed, got nothing but errors. Is that not correct?

Re: Recent bash vulnerability and patch questions

Posted: Thu Sep 25, 2014 12:18 pm
by pessimizer
Short thread, lots of bad information.

Bug is bad, and still unpatched (the patch was bad.) Things running on mod_php, passenger, etc. through Apache and nginx are generally safe, and in Debian, you would have to have changed /bin/sh to bash manually or have applications running that exec out to scripts with a bash shebang rather than sh (pretty common, but rarely happens in Debian upstream) for normal webapps to be vulnerable. Unless you're omniscient, you probably have no idea if this happens somewhere in a pipeline that is accepting input from the internet.

If you have some app that puts a web administration server on a weird port (embedded webserver), make sure you're not forwarding it to your firewall for the time being. There's really nothing else to do about it at this point.

http://www.troyhunt.com/2014/09/everyth ... about.html

http://forum.linuxmint.com/viewtopic.ph ... 25#p928017

Re: Vulnerability in Bash

Posted: Thu Sep 25, 2014 1:08 pm
by Paulm
Many thanks killer de bug your Bash update idear using sid worked super, now have 4.3-9.1 8)

Re: Vulnerability in Bash

Posted: Thu Sep 25, 2014 1:12 pm
by Ubulindy
Paulm, Can you post to me what entry you added? I'm getting nothing but failures. Thanks

Jees oh man I have added and then removed every sid repo I can find and I get errors or 404 on all of them. Getting aggravated here :(

Re: What's this about bash?

Posted: Thu Sep 25, 2014 1:14 pm
by BoDill
Hello,

I just ried to find the "Update Manager" mentioned by "Amasa" above, but do not know how to find it.

Can someone help me? You must be rather specific, because I'm obviously NOT a computer whiz.

Also, anything else you can tell me about combating this virus will be greatly apperciated.

Thank you,
BoDill,
Linux Mint 17

Re: Recent bash vulnerability and patch questions

Posted: Thu Sep 25, 2014 1:22 pm
by nomko
Anyway, i've tersted my system and i get this:

Code: Select all

An unaffected (or patched) system will output:

 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test
So according to that scaremongering crappy article i'm save....

Re: What's this about bash?

Posted: Thu Sep 25, 2014 1:24 pm
by niowluka
BoDill wrote: Also, anything else you can tell me about combating this virus will be greatly apperciated.
It's not a virus, it's a vulnerability. And you don't need to combat it. Unless you're running an ultra secure webserver or something similar you have nothing to worry about.

Chill-out, grab a coffee and install the update:
Update Manager can be launched by the clicking on the shield-shaped icon in your taskbar. You should really be familiar with it, otherwise you have not been updating your system. If after launching you can't see any updates click 'refresh'. bash should show as one of the available updates. Install.

Re: Shellshock bug in BASH . . . [Solved]

Posted: Thu Sep 25, 2014 1:26 pm
by acw89
1.618 -- Thanks for the info ... just fixed my Linux Mint up as well.

Love not having to wait like with Windows ..

Unix -- Live FREE or DIE

Re: Vulnerability in Bash

Posted: Thu Sep 25, 2014 1:38 pm
by Paulm
Yes, In software Sources add < deb http://ftp.debian.org/debian sid main contrib non-free > update the cache.
In the terminal (not the Software source manager) < sudo apt-get update > then < sudo apt-get update >
You will find there are a lot of upgrades and some that won't install. Say yes to the updates and yes when it come to the 'bash change questions'
Then when the upgrades have been installed, untick the 'ftp sid main' and update the cache and again in the terminal < sudo apt-get update >
Good luck it worked for me, The sid version should now be 4.3-9.1

Re: Shellshock: Bash bug

Posted: Thu Sep 25, 2014 1:40 pm
by xenopeek
For details, check the RedHat information on this: https://securityblog.redhat.com/2014/09 ... on-attack/

On Linux Mint 17 you already have the first patch for bash available through Update Manager (version 4.3-7ubuntu1.1 includes the CVE-2014-6271 patch; changelog). Same for Linux Mint 13 (version 4.2-2ubuntu2.2; changelog).

Everywhere it is being discussed the Ubuntu bash maintainer has already piped in he is working on the second part of the patch. The fix for this will arrive on Linux Mint 13 and 17 through Update Manager once available in Ubuntu.

If you're using Linux Mint as a home server, or as a public server, you might want to take additional steps now. For example there are mod_security rules you can use to catch attempts to exploit this bug on your Apache install. Home users are less susceptible to the bug being exploited, as they're not running services on Internet reachable ports.

Edit: patch for LMDE is underway. You could download the complete patch already from Debian unstable if you are using LMDE as a server: https://packages.debian.org/source/unstable/bash

Re: Recent bash vulnerability and patch questions

Posted: Thu Sep 25, 2014 1:48 pm
by Habitual
nomko wrote:So according to that scaremongering crappy article i'm save....

Code: Select all

apt-get changelog bash | less
Get:1 Changelog for bash (http://changelogs.ubuntu.com/changelogs ... /changelog) [123 kB]
bash (4.3-7ubuntu1.1) trusty-security; urgency=medium

* SECURITY UPDATE: incorrect function parsing
- debian/patches/CVE-2014-6271.diff: fix function parsing in
builtins/common.h, builtins/evalstring.c, subst.c, variables.c.
- CVE-2014-6271

Re: Shellshock: Bash bug

Posted: Thu Sep 25, 2014 1:50 pm
by Habitual

Code: Select all

apt-get changelog bash | less
Get:1 Changelog for bash (http://changelogs.ubuntu.com/changelogs ... /changelog) [123 kB]
bash (4.3-7ubuntu1.1) trusty-security; urgency=medium

* SECURITY UPDATE: incorrect function parsing
- debian/patches/CVE-2014-6271.diff: fix function parsing in
builtins/common.h, builtins/evalstring.c, subst.c, variables.c.
- CVE-2014-6271

-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 22 Sep 2014 15:26:16 -0400

Code: Select all

System:    Host: my-kungfu Kernel: 3.13.0-24-generic x86_64 (64 bit) Desktop: Xfce 4.11.6
           Distro: Linux Mint 17 Qiana

Re: Shellshock: Bash bug

Posted: Thu Sep 25, 2014 1:54 pm
by DrHu
About the BBC version of the story
  • "To achieve a more stable and secure technology environment in which businesses and individuals can feel truly safe, we have to peel back the layers, start at the bottom and work up," he said.
    "This is utterly symptomatic of the historic neglect we have seen for the development of a dependable and trustworthy baseline upon which to develop a software infrastructure for the UK.
No-one: commercial OS or applications, or OSS (same) is doing that, nor likely ever intends to

I also looked at the RED HAT security info (and the knowledge base link), and it is as said not as click-bait as the BBC article.
--to me it looks like that older bug SQL injection as far as how it may affect users or be handled by the developer(s) of BASH..

And I didn't see anyone suggest using another shell such as Korn or C-shell; or perhaps some other choice
https://en.wikipedia.org/wiki/Unix_shell
--perhaps they have the same issue and no-one has thought to tell us yet..

Re: Recent bash vulnerability and patch questions

Posted: Thu Sep 25, 2014 2:45 pm
by acerimusdux
linx255 wrote:1) Is "nefarious" accurate or should they have used "careless" in describing the function "which can enable network exploitation" ? Did they really mean an arbitrary environment variable itself is nefarious? Did the arbitrarily named environment variables originate from bash features or the attacker?
It's nefarious in the sense that the attacker can essentially write his own function and inject it via a value stored in an environement variable, so if the attacker is nefarious, then the function is likely to be.

An arbitrary environement variable isn't neccessarily nefarious, but they shouldn't be so easily executed as code. A function being defined and saved in a variable isn't bad either, as something still has to call it. But that's not the case here. The problem here is that code can be inserted after the definition and it will execute (without the fuction having to be called).
linx255 wrote:2) Are any of these features used in an automated / background way that I wouldn't necessarily see on my screen? ( I.e. upon boot, or running Update Manager, or some other program )
That depends on how observant you are about what is running on your system. There are some desktop users who are unaware they are even running a web-server (usually because some application installed one as a dependency). If you are running no services that are accessible remotely, and/or a good firewall that prevents outside access to any services that are running on open ports, then you would be pretty well protected. So this is more a risk to anyone who is running a web-server (especially with cgi scripting), or using ssh for remote access, or allowing any other form of remote access. But there has been some talk that even some dhcp clients may be vulnerable, something lots of desktop users might have running. And, it appears even if your Mint desktop is safe, a number of routers may be vulnerable; if an attacker can own your router, they can easily redirect traffic, capture traffic (including passwords), spoof secure banking sites, etc.
linx255 wrote:1) 3) Would attacks have been effective against a machine with SELinux installed with one of the two default configurations? Apparently no authorization was required for the code injection.
A key point here is no authorization necessarily required for code injection. Anything that can save something into an environment variable, can cause code to be executed whenever bash is run (as it reads the environment variables). For example, my understanding is that CGI parses headers as environment variables. So your website doesn't even need to be allowing form input for example, the attacker can insert the attack right into an http request header.

SE Linux properly configured may provide some protection against some possible commands being executed, but there are likely lots of possible attacks which it still wouldn't prevent.
linx255 wrote: 4) Should I be asking different questions here?

Thanks
Look like good questions to me.

The main thing is that Mint is not especially vulnerable, as it does not use bash as it's default shell. However, bash is still apparently considered an essential package. For example:

Code: Select all

sudo apt-get remove bash
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  bash bash-completion inxi mint-meta-core mint-meta-mate
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
  bash
0 upgraded, 0 newly installed, 5 to remove and 39 not upgraded.
After this operation, 2,924 kB disk space will be freed.
You are about to do something potentially harmful.
To continue type in the phrase 'Yes, do as I say!'
 ?] 
Abort.
I'm tempted to try going ahead and removing it anyway, as I suspect it may not really be that essential, but I figured I'd better get this post written before I crash my machine. :)

But that's the question I would ask, is it safe to simply remove bash?

That seems to me to be the simplest most foolproof solution, if it's not actually being used for anything important!

Re: Vulnerability in Bash

Posted: Thu Sep 25, 2014 3:02 pm
by Ubulindy
UPDATE: ok, that all worked, however now I have another problem, I have NO grub. A menu came up, it asked about grub-install pc. It listed my drives, and had a red mark in both. When I tried to select either, it wouldn't let me do a thing. Then it kept going to another menu telling me "yes" or "no" to install grub. I couldnt proceed any further. What should I di? I tried: sudo grub-install /dev/sda and sudo grub-install /dev/sda1 and got this:

sudo grub-install /dev/sda1
[sudo] password for dementia:
Installing for i386-pc platform.
grub-install: warning: File system `ext2' doesn't support embedding.
grub-install: warning: Embedding is not possible. GRUB can only be installed in this setup by using blocklists. However, blocklists are UNRELIABLE and their use is discouraged..
grub-install: error: will not proceed with blocklists.
dementia@dementia:~$ sudo grub-install /dev/sda
Installing for i386-pc platform.
grub-install: warning: this GPT partition label contains no BIOS Boot Partition; embedding won't be possible.
grub-install: warning: Embedding is not possible. GRUB can only be installed in this setup by using blocklists. However, blocklists are UNRELIABLE and their use is discouraged..
grub-install: error: will not proceed with blocklists.

Re: What's this about bash?

Posted: Thu Sep 25, 2014 3:16 pm
by greenpete
My system hasn't found any updates and according to Ars T I still have a vulnerable system... http://arstechnica.com/security/2014/09 ... -in-it/#p3

I ran the test they mention and the results suggest my system is not patched, plus I haven't had an update for a while.

I have checked everything and all seems fine in regards to updates working including running 'sudo apt-get update' and 'sudo apt-get upgrade' but I see no updates at all, let alone for 'Shellshock'. :(

Re: Shellshock: Bash bug

Posted: Thu Sep 25, 2014 3:29 pm
by pe1800
I run Mint 16 KDE, for personal use, not a server, is a bug fix for that version coming up?

Re: Shellshock: Bash bug

Posted: Thu Sep 25, 2014 3:38 pm
by xenopeek
pe1800 wrote:I run Mint 16 KDE, for personal use, not a server, is a bug fix for that version coming up?
Except for Linux Mint 13 and 17, all Linux Mint versions are obsolete and have reached end of support (no fixes are coming for anything; and haven't been coming for a long while now...). You should plan to install Linux Mint 17. Read the global announcement for more information: http://forums.linuxmint.com/viewtopic.php?t=173378

Re: What's this about bash?

Posted: Thu Sep 25, 2014 3:50 pm
by BoDill
To niowluka,

Thank you very much!!! Being new at Linux, I had not clicked on the "Shield" before. Following your instructions, I had about an hours worth of updates. Now I will likley check it daily!!!

By the way, I have seen a few versions of code, simllar to the ones below, to type into a Terminal to determine if my computer is "infected". Is there anyone at Linux Mint who can tell me exactly what to type and what to look for?
env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"


BoDill

Re: Shellshock bug in BASH . . . [Solved]

Posted: Thu Sep 25, 2014 5:46 pm
by mickey6
Does that mean the update has already been pushed out through the Update Manager, or do I need to do this: http://www.ubuntu.com/usn/usn-2362-1/ ?