Main Edition: BASH vulnerability a.k.a. 'Shellshock'

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics.Please do not add support questions to threads here,use the appropriate support forum instead
User avatar
TheWebaholic
Level 1
Level 1
Posts: 21
Joined: Sun Aug 31, 2014 10:04 am
Location: Norwich, UK
Contact:

Re: What's this about bash?

Post by TheWebaholic »

Thanks all, I've got the fix for the bash vulnerability. I didn't realise until today that you have to manually check for updates and apply them - I stupidly assumed that they would be applied automatically (like Windows updates)! I've only been using Linux Mint on this computer for about 3 weeks though. Oh well, at least I know now, so I will check for updates more often from now on. :D
Image

oldgranola
Level 4
Level 4
Posts: 462
Joined: Fri Sep 05, 2014 1:39 am

Re: Shellshock: Bash bug

Post by oldgranola »

So I've seen some commentary that the initial patch(S) did not completely void the vulnerability particularly the ability to overwrite files and that they are still testing various fixes for effectiveness and to see what OTHER vulnerabilities or problems their fix approaches may expose (via oss-sec list seclist.org). So I would expect there will be more updates/patches coming in short order. It would be nice if there were on this forum a digest of developments on this subject to make it easier to keep up.
comadore, pcDOS, hpux, solaris, vms-vax ....blah blah blah..
Yet I'm still a fn nooob

LouisR
Level 1
Level 1
Posts: 3
Joined: Sun Oct 13, 2013 2:30 am

Re: Shellshock bug in BASH . . . [Solved]

Post by LouisR »

The update has been in all appearances pushed out: I updated my system earlier today before even hearing about the bug, and I'm already on the updated package.

How to tell for sure? Open a terminal and type:

Code: Select all

apt show bash
This will make apt show you the information it can on the bash package, including the version number, 4.3-7ubuntu1.1 is the updated one from yesterday.

acerimusdux
Level 4
Level 4
Posts: 337
Joined: Sat Dec 26, 2009 3:36 pm

Re: What's this about bash?

Post by acerimusdux »

BoDill wrote:By the way, I have seen a few versions of code, simllar to the ones below, to type into a Terminal to determine if my computer is "infected". Is there anyone at Linux Mint who can tell me exactly what to type and what to look for?
env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"


BoDill
There are going to be a number of ways to check it. The "env" command is one way. If you look at how that command works, typing "man env" tells you:

Code: Select all

SYNOPSIS
       env [OPTION]... [-] [NAME=VALUE]... [COMMAND [ARG]...]

DESCRIPTION
       Set each NAME to VALUE in the environment and run COMMAND.

So this is supposed to allow you to run a command. In this case, the "echo completed" is the COMMAND that is supposed to run, so you should see "completed". The bug though occurs if a command can be run from setting an environment variable. In an updated system, you shouldn't see "busted" since that is part of the NAME=VALUE assignment of a variable.

Rather than use "env" I think it's may be more clear to demonstrate the problem in this way (the $ is the prompt):

Code: Select all

     $ export y='() { :;}; echo vulnerable'
     $ echo $y
() { :;}; echo vulnerable
     $ bash -c "echo test"
bash: warning: y: ignoring function definition attempt
bash: error importing function definition for `y'
test
Here I am setting the variable "y" using the "export" command. The first part with the parenthesis and brakets is just an empty function definition. The "echo vulnerable" is the command being hidden in this variable that shouldn't execute.

Then I use "echo $y" just to demonstrate that the variable has in fact been set. This only displays the contents, it doesn't execute it.

Then I can run any command at all using bash -c. In a vulnerable system, the "echo vulnerable" command will execute. My system has been updated, so instead I get an error when bash reads the misformatted environment variable, it doesn't execute the code.

As a practical matter, for most desktop users, it will be sufficient to make sure your updates are installed. The greater risk might be if you have a router that is vulnerable, and allowing remote access. If your internet connection is coming in through a router, check to see what your WAN address is. Usually there is a local LAN address like 192.168.257.257 (this is a fake address, 257 is not a valid value), and then a WAN address like 69.257.257.257 (also fake). The latter address is also the one websites see when you visit them so it will list as your IP address if you visit:

http://www.stayinvisible.com/

To scan this address and see if there are any ports exposed to the public internet run a scan on this address:

Code: Select all

 $ sudo apt-get install nmap
 $ sudo nmap 69.257.257.257
If you have no open ports, there is really nothing there for a remote attacker to attack. Unless you need to run a webserver, or need remote access, this is your safest setup. Then you really only need to worry about things like browser security (use a password manager!).

mickey6
Level 1
Level 1
Posts: 23
Joined: Sun Jun 29, 2014 2:13 pm

Re: Shellshock bug in BASH . . . [Solved]

Post by mickey6 »

LouisR wrote:The update has been in all appearances pushed out: I updated my system earlier today before even hearing about the bug, and I'm already on the updated package.

How to tell for sure? Open a terminal and type:

Code: Select all

apt show bash
This will make apt show you the information it can on the bash package, including the version number, 4.3-7ubuntu1.1 is the updated one from yesterday.
Excellent! Thank you!

davparker
Level 1
Level 1
Posts: 2
Joined: Fri Sep 05, 2014 1:39 am

Re: Shellshock bug in BASH . . . [Solved]

Post by davparker »

update may not be enough, you might night to upgrade bash

To test for vulnerability, try this:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If it reports vulnerable, upgrade/patch like this:

sudo apt-get update && sudo apt-get install --only-upgrade bash

Close your shell, then test again
Overconfidence suits no one. It is an Achilles heel.

User avatar
linx255
Level 5
Level 5
Posts: 682
Joined: Mon Mar 17, 2014 12:43 am

Re: Recent bash vulnerability and patch questions

Post by linx255 »

There are some desktop users who are unaware they are even running a web-server (usually because some application installed one as a dependency). If you are running no services that are accessible remotely, and/or a good firewall that prevents outside access to any services that are running on open ports, then you would be pretty well protected.
I have Apache http server ( apache2) installed, though it is unchecked in 'Service Settings'. I don't think I have any programs that run Apache or other http servers but I can't rule it out yet. I tend to remove a lot of default packages I don't use. My router says there are no open ports, and my ufw policies have all ports closed.
a number of routers may be vulnerable
Would a typical router from an ISP be likely to have bash running on it? I've never tried to SSH into a router to see what's going on inside. Guess I have no way of knowing if the patch made it to the bash in my router, huh? ( Even if I have nothing to worry about I'm still curious. )
The main thing is that Mint is not especially vulnerable, as it does not use bash as it's default shell. However, bash is still apparently considered an essential package.
Not technically essential, but all my automation scripts depend on bash, and they don't work with dash, so my default is set to /bin/bash. Without my scripts I'd be spending hours manually performing tasks and with very limited ability. But nice to know I can remove bash if needed!


Even though it's patched and I'm probably not affected, I still needed to investigate.
- I'm running Mint 18 Mate 64-bit
- 4.15.0-34-generic x86_64
- All my bash scripts begin with #!/bin/bash

LouisR
Level 1
Level 1
Posts: 3
Joined: Sun Oct 13, 2013 2:30 am

Re: Shellshock bug in BASH . . . [Solved]

Post by LouisR »

Just got version 4.3-7ubuntu1.2

User avatar
acw89
Level 2
Level 2
Posts: 81
Joined: Wed May 04, 2011 6:29 pm

Re: Shellshock bug in BASH . . . [Solved]

Post by acw89 »

davparker ...

So THIS

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

Would be ok ?.. (it did not change the variable)

Thanks
--
Purrs,

-Desert Catmom >^..^<

Linux User # 482905

rtX
Level 1
Level 1
Posts: 37
Joined: Sun Oct 14, 2012 6:05 am

Re: What's this about bash?

Post by rtX »

I'm running LM16 on two machines and LM13 on another. I tried updating one of the LM16 machines and there are no updates available. I've not seen any updates for this machine for quite a few weeks. Will older versions get the update to fix the bash issue or do I have to upgrade to 17.1 to get a bash update? The recommended upgrade route for LM is not one I favour - it's a bit of a job and a half, especially if you have more than one user, so my hope is that I don't need to upgrade and that an update will be available.

RonC

bash bug patch?

Post by RonC »

Hmmm ... searching the entire forum for bash bug gives no hits ...

A full Internet search gives no relevant information for Linux Mint.

:shock: So, could someone please advise? Can a utility that applies a patch for this vulnerability be added to the repo?

RonC

Re: bash bug patch?

Post by RonC »

The patch is accomplished simply by by making sure you've updated to a recent version of bash.

You can both check if your Mint installation is susceptible, here, and if it is, you can fix it.

Yes, this is for Ubuntu, but after installing the patched version of bash, my Mint installation 'passed the test'.

Any information, as to whether there's something available that's Mint specific, please 'chime in'. I imagine it would simply be a matter of performing the update from a different repo, if there's anything wrong with the one from Ubuntu?

Yogidaddy
Level 1
Level 1
Posts: 2
Joined: Fri Jul 18, 2014 2:56 am

Re: bash bug patch?

Post by Yogidaddy »

RonC:
The posts for the Bashbug are under Shellshock in the Forum. I think the responce was fast to fix the bug but they are not done yet and more updates will be comming. I found this interesting:
using "Bash -version" in a terminal says that the current version of bash is 4.3.11(1) which didn't change when the new mint bash update was applied. Strange.
using "apt show bash" yields the Ubuntu format of bash version which is " Version: 4.3-7ubuntu1.1"
Two commands with different outputs. It makes keeping up to date very difficult.
Ubuntu has promised another Bash update soon. I hope they sort out the version number thing so I can tell if I have the latest and greatest.

lexon
Level 6
Level 6
Posts: 1123
Joined: Sat Jan 31, 2009 10:53 pm
Location: MA USA

‘Shellshock’ Software Bug in Bash

Post by lexon »

Might not be anything but I will let you experts have fun with this.

http://www.nytimes.com/2014/09/26/techn ... .html?_r=0

L
Lindows, Linspire, Freespire, Ubuntu, Mint 15 Cinnamon, Mint 16 XFCE, Mint 17 Cinnamon 64 bit. MInt 18 64 bit Cinnamon.

Yogidaddy
Level 1
Level 1
Posts: 2
Joined: Fri Jul 18, 2014 2:56 am

Re: Shellshock bug in BASH . . . [Solved]

Post by Yogidaddy »

LewisR
The first round of Bash fixes is done but Ubuntu says there is more to do. I find it unsettling that when I checked my Bash version using " bash -version" I got 4.3.11(1) both before and after the Bash fix. Strange.
Using "apt show bash" I got Version: 4.3-7ubuntu1.1
This makes it hard to track the version of bash and to know if I have the latest and greatest.

User avatar
Nilla Wafer
Level 3
Level 3
Posts: 149
Joined: Sun Jun 30, 2013 6:11 pm

Re: ‘Shellshock’ Software Bug in Bash

Post by Nilla Wafer »

Patched by updating

~nilla

User avatar
viking1au
Level 3
Level 3
Posts: 130
Joined: Thu Jun 09, 2011 8:03 am
Location: Warburton, Victoria; AU.
Contact:

Cyber attacks on Linux?

Post by viking1au »

The news this morning tells of cyber attacks on both Linux and Mac. The news report claimed software by name of Shellshocked, which attacks Linux & Mac through the 'bash' files.
Maybe this is the very thing that recently took out my fresh (2 week old) install of Mint 17. -- Totally wiped it out in one hit, at start-up. ! It was difficult for some time to do a fresh install on the same HDD. -- Had to install another system first, then retry Linux.
The news report suggested that attempts to protect the system via the 'bash' files may not work. I notice that the updates of this morning had a 575kb 'bash' file. - It may need mre than this.(?)
So what are the developers at Mint etc etc doing about this? - Will we get (solid) antivir software or not? --
Let's hope this gets better response than my last post which, as one reply suggested, would basically be ignored or not obtain a satisfactory solution.--- Rgds all.

jerz
Level 1
Level 1
Posts: 1
Joined: Thu Sep 25, 2014 9:17 pm

Re: Vulnerability in Bash

Post by jerz »

Paulm wrote:Yes, In software Sources add < deb http://ftp.debian.org/debian sid main contrib non-free > update the cache.
In the terminal (not the Software source manager) < sudo apt-get update > then < sudo apt-get update >
You will find there are a lot of upgrades and some that won't install. Say yes to the updates and yes when it come to the 'bash change questions'
Then when the upgrades have been installed, untick the 'ftp sid main' and update the cache and again in the terminal < sudo apt-get update >
Good luck it worked for me, The sid version should now be 4.3-9.1
After using

Code: Select all

sudo apt-get update
do not do

Code: Select all

sudo apt-get upgrade
as it may break some packages. Instead, use

Code: Select all

sudo apt-get install bash
. NOTE: Be sure to not overwrite /etc/skel/.bashrc or /etc/bash.bashrc if the update asks. This is because you would then be overwriting your bash settings from LMDE's default with the one provided by the sid repository. This may have unintended consequences.
Afterwords, go ahead and remove the sid repo.

User avatar
viking1au
Level 3
Level 3
Posts: 130
Joined: Thu Jun 09, 2011 8:03 am
Location: Warburton, Victoria; AU.
Contact:

Re: Cyber attacks on Linux?

Post by viking1au »

While the powers that be on this site are still thinking about it, I became a member of the Fedora forums site, logged in & got the info pasted below. -- Nice to see somone is on top of their game & seem to be taking steps to 'plug the hole'. --Rgds:
Bug Fix
Doc Text:
A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.

User avatar
Pierre
Level 20
Level 20
Posts: 10596
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: Cyber attacks on Linux?

Post by Pierre »

it's been patched by almost all major Linux groups, by now.
- in all cases, even before it had hit the news-wire services.
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.

Post Reply

Return to “Releases & Announcements”