Main Edition: BASH vulnerability a.k.a. 'Shellshock'

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics.Please do not add support questions to threads here,use the appropriate support forum instead
Post Reply
all41
Level 16
Level 16
Posts: 6239
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Cyber attacks on Linux?

Post by all41 »

It's been patched by almost all major Linux groups, by now.
- in all cases, even before it had hit the news-wire services.
Hey flag wavers--compare that with your "patch Tuesday"
and with your anti-virus definition update and detection abilities.
libera ab tyrannis

User avatar
viking1au
Level 3
Level 3
Posts: 130
Joined: Thu Jun 09, 2011 8:03 am
Location: Warburton, Victoria; AU.
Contact:

Re: Cyber attacks on Linux?

Post by viking1au »

All this does not do anything for the complete & total crash my system had. -- Then the time spent trying to load a fresh system onto the hard drive. - It kept coming up with some sort of file error for quite some time; until I had gotten it to accept a load-up of Linux Lite. -- Then re-load Mint 17 on that & another hard drive.---The only saving grace in the middle of all this is that I had learnt the value of constantly backing up. -- Thank god for that, but still a lot of work.

The latest news from other sites seems to be that 'Bash' fixes may not be a longer term solution & more needs to be done. -Rgds.

User avatar
jimallyn
Level 18
Level 18
Posts: 8955
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: bash bug patch?

Post by jimallyn »

Ron, I think the forums search function doesn't return any results for words that have less than 4 letters. (Use Google to search the forums if you need to search for short words.) There was an update for bash in the Update Manager yesterday, and several related updates today. Run the Update Manager.
Image

“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan

mikecolley
Level 2
Level 2
Posts: 94
Joined: Fri May 20, 2011 5:41 am

[SOLVED]: BASH vulnerability - Where can I find a patch?

Post by mikecolley »

Hi All: Does anyone know of a patch or fix?

I heard about this Sep 25 on NBR on youtube. What they said at about minute 21 really cought my attention, you might want to check it out on YouTube.

I have all LM17 Cinnamon level 1 and level 2 updates applied to this 64bit system. Level 3 updates not applied. Maybe I should apply them?

My PC failed the test at: https://securityblog.redhat.com/2014/09 ... on-attack/

TMI if you google bash software bug

More Info: http://www.linux.com/news/enterprise/sy ... n-the-wild (edit added line)

Where can I track info on this? I'm looking for a fix or patch.

Thanks! - Mike Colley

System: LM17 Cinnamon flash drive created with LILI using SYSLINUX 4.04 on diskless HP8730w 2.8GHz, 8GB. Persistent install on 32Gig Sandisk, fully backed up weekly. Completely open PC (except for password protected documents). External 3 + 2 Gig USB rotating memory almost never plugged in to PC or anywhere.

P.S. Certainly some good soul who knows how will find a way to see what other easy and obvious bugs there are with the idea to get them fixed. Does anybody know of such an organized effort? I would like to read about progress.
Last edited by mikecolley on Fri Sep 26, 2014 9:07 am, edited 1 time in total.

ClutchDisc
Level 5
Level 5
Posts: 633
Joined: Wed Mar 26, 2014 12:31 pm
Location: Detroit area

Re: BASH vulnerability - Where can I find a patch?

Post by ClutchDisc »

Its a level 3 update that comes through the update manager.
Custom build
OS: Linux Mint 18.1 Cinnamon
CPU: Intel Core i5 2.70GHz quad core
RAM: 8GB DDR4
OS drive: 120GB SSD
Data drive: 2TB HDD

User avatar
sdibaja
Level 5
Level 5
Posts: 770
Joined: Sun May 08, 2011 12:57 pm
Location: Baja California, Mexico

Re: Shellshock bug in BASH . . . [Solved]

Post by sdibaja »

davparker wrote:update may not be enough, you might night to upgrade bash

To test for vulnerability, try this:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If it reports vulnerable, upgrade/patch like this:

sudo apt-get update && sudo apt-get install --only-upgrade bash

Close your shell, then test again
Overconfidence suits no one. It is an Achilles heel.
that update does Not work for LMDE:
bash is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

perhaps a patch will come out in the next day or two...
Peter
Mate desktop https://mate-desktop.org/
Debian GNU/Linux operating system: https://cdimage.debian.org/images/unoff ... -firmware/

User avatar
sdibaja
Level 5
Level 5
Posts: 770
Joined: Sun May 08, 2011 12:57 pm
Location: Baja California, Mexico

Re: bash bug patch?

Post by sdibaja »

FYI:
that update does Not work for LMDE:
bash is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

perhaps a patch will come out in the next day or two...
Peter
Mate desktop https://mate-desktop.org/
Debian GNU/Linux operating system: https://cdimage.debian.org/images/unoff ... -firmware/

acerimusdux
Level 4
Level 4
Posts: 337
Joined: Sat Dec 26, 2009 3:36 pm

Re: Recent bash vulnerability and patch questions

Post by acerimusdux »

linx255 wrote:Would a typical router from an ISP be likely to have bash running on it?
Probably not, but I think there will be some. It's easy to imagine there will be some vulnerable router somewhere with a web based administration tool using cgi scripts, and with bash installed on the router.

In addition, since there are lots of routers which have vulnerabilities anyway, the dhclient-script (which uses bash) is a possible attack vector which, once the router running a dhcp server is compromised, could be used to then compromise an unpatched machine on that network. Here's a brief article demonstrating that one:

https://www.trustedsec.com/september-20 ... f-concept/
Replace the portion of the string “echo ‘foo'” with whatever command you want the client to execute. Keep in mind most clients will run dhcp hook scripts as root, but may not have a full environment defined in terms of PATH variables etc.
Basically that means, once you compromise a dhcp server, you can pretty much own any unpatched machine on that network.
linx255 wrote: Not technically essential, but all my automation scripts depend on bash, and they don't work with dash, so my default is set to /bin/bash.
Yes, it turns out there are still a ton of scripts which use bash. I did a quick search with grep and found 120 files beginning "#!/bin/bash" in /usr alone. Even in /bin, there are programs like gunzip, zgrep, and uncompress that are actually bash scripts. So much for that idea, it seems it likely really can't be removed without causing serious headaches.
linx255 wrote:Even though it's patched and I'm probably not affected, I still needed to investigate.
Agree. Very pleased this has been fixed quickly, but it really is a major vulnerability.

Paulm
Level 1
Level 1
Posts: 25
Joined: Tue Sep 27, 2011 6:25 am

Re: Vulnerability in Bash

Post by Paulm »

There are quite a few ways to edit grub, my favorite method is to use 'Grub-Customizer'.
When the .tar file has been extracted, read the README file for a list of dependency package required and for install instructions.
https://launchpad.net/grub-customizer

sherbert
Level 1
Level 1
Posts: 8
Joined: Tue May 11, 2010 7:57 pm

BASH vulnerability aka 'Shellshock'

Post by sherbert »

This vulnerability is news on our local FOSS board. It seems that a new bash is available to patch for it. Will this be made available to Mint users, please?
In my case, LM13. I am going to the end of the line with this LTS. It's great.
thanks
Shane H

User avatar
karlchen
Level 21
Level 21
Posts: 12790
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: BASH vulnerability aka 'Shellshock'

Post by karlchen »

sherbert wrote:It seems that a new bash is available to patch for it. Will this be made available to Mint users, please?
Ubuntu had published the patched bash versions for Ubuntu 12.04 (Mint 13) and Ubuntu 14.04 (Mint 17) even before you asked. This means, provided you are accepting the default safety levels in mintupdate, [1], [2] and [3], the patched bash should have been offered for installation you to already. All you have to do is click on the shield icon and click on [Install] in the update manager application window.

Cf. several places in this thread and in particular this one by eanfrid: Patched bash versions on Mint 13 and Mint 17
Image
Linux Mint 19.3 64-bit Cinnamon, Total Commander 9.51 64-bit
Haß gleicht einer Krankheit, dem Miserere, wo man vorne herausgibt, was eigentlich hinten wegsollte. (Goethe)

User avatar
xenopeek
Level 24
Level 24
Posts: 24723
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: BASH vulnerability a.k.a. 'Shellshock' (CVE 2014-6271)

Post by xenopeek »

The versions from eanfrid's post have already been superseded (those were the incomplete patches; the complete patches are now available). Current status is in the first post of this topic.
Image

User avatar
karlchen
Level 21
Level 21
Posts: 12790
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: BASH vulnerability a.k.a. 'Shellshock' (CVE 2014-6271)

Post by karlchen »

Thanks, xenopeek.

I realize that so far my systems have been patched to fix vulnerability reported as CVE 2014-6271 only. So I can still be bashed. :shock:
Now I will have to watch out for the bash patches fixing CVE-2014-7169, instead.
I'm glad I'm typing this from Windows 7 SP1: no bash vulnerabilities here.

Cheers,
Karl
Image
Linux Mint 19.3 64-bit Cinnamon, Total Commander 9.51 64-bit
Haß gleicht einer Krankheit, dem Miserere, wo man vorne herausgibt, was eigentlich hinten wegsollte. (Goethe)

User avatar
xenopeek
Level 24
Level 24
Posts: 24723
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: BASH vulnerability a.k.a. 'Shellshock' (CVE 2014-6271)

Post by xenopeek »

karlchen wrote:Now I will have to watch out for the bash patches fixing CVE-2014-7169, instead.
Those are already in Linux Mint 13 and 17; see the changelogs linked to in the first post in this topic.
Image

User avatar
eanfrid
Level 7
Level 7
Posts: 1856
Joined: Mon Apr 30, 2012 2:49 am
Location: FR

Re: BASH vulnerability a.k.a. 'Shellshock' (CVE 2014-6271)

Post by eanfrid »

karlchen wrote:I'm glad I'm typing this from Windows 7 SP1: no bash vulnerabilities here
Yep. Only many more others kept secret and unpatched :mrgreen:
Main desktop: Debian GNU/Linux Jessie 64bit - MATE
(i5 2400@3.7GHz - 16GB DDR3 - HD6770 w/radeon driver - SSD+RAID1)
Safer than Dropbox

User avatar
karlchen
Level 21
Level 21
Posts: 12790
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: BASH vulnerability a.k.a. 'Shellshock' (CVE 2014-6271)

Post by karlchen »

xenopeek wrote:
Now I will have to watch out for the bash patches fixing CVE-2014-7169, instead.
Those are already in Linux Mint 13 and 17; see the changelogs linked to in the first post in this topic.
True, by today. It all depends on when exactly I received the bash updates on Ubuntu 12.04.5, Mint13, Mint 17 and Ubuntu 14.04.1.
If I interpret the timestamps correctly, then the patches for CVE-2014-7169 were built in the early morning hours of Friday, September 26th.

Code: Select all

[13:13:14] Warning: The file properties have changed:
[13:13:14]          File: /bin/bash
[13:13:14]          Current hash: ac1ddc9c4283f5bb8db64c2e5771eeb44803399f
[13:13:14]          Stored hash : 966672a53bec6b0e43137e187d9bc5dce05d8443
[13:13:14]          Current inode: 135666    Stored inode: 147738
[13:13:15]          Current file modification time: 1411695948 (26-Sep-2014 03:45:48)
[13:13:15]          Stored file modification time : 1398292992 (24-Apr-2014 00:43:12)
So the only system where I am 100% sure it has received bash 4.3-7ubuntu1.3 is Trusty Tahr, where I am typing this post.
All my other systems were updated from Tuesday to Thursday. So they cannot have received the patch for CVE-2014-7169, yet.

[Added 23:15]
All right. Mint 13 x64 has been re-patched, too. Re-patched, because it already had got the half-patched bash version.

Code: Select all

Ubuntu 12.04.5 x64  - Mint 13 x64
==================================
bash (4.2-2ubuntu2.3) precise-security; urgency=medium

  * SECURITY UPDATE: incomplete fix for CVE-2014-6271
    - debian/patches/CVE-2014-7169.diff: fix logic in bash/parse.y.
    - CVE-2014-7169

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 25 Sep 2014 02:11:10 -0400

[22:58:04] Warning: The file properties have changed:
[22:58:04]          File: /bin/bash
[22:58:04]          Current hash: 4e5d726270d6a129bf6e7a03798303d80246e56c
[22:58:04]          Stored hash : 9eeed02173db163b013933eff3b8c6aa3697f67f
[22:58:04]          Current inode: 1048653    Stored inode: 1048613
[22:58:04]          Current file modification time: 1411627847 (25-Sep-2014 08:50:47)
[22:58:04]          Stored file modification time : 1411418372 (22-Sep-2014 22:39:32)
Image
Linux Mint 19.3 64-bit Cinnamon, Total Commander 9.51 64-bit
Haß gleicht einer Krankheit, dem Miserere, wo man vorne herausgibt, was eigentlich hinten wegsollte. (Goethe)

mike acker
Level 6
Level 6
Posts: 1495
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by mike acker »

I read this explanation on ZD Net this morning.

My impression is: this is more an administrative error than it is a software bug. The news media, being what it is, is likely to give this the drive-by (i.e. 15 second version) of the "bug". From what I see I really don't see that this should be considered a software bug as it appears to be more like someone left the back door unlocked.

Administrative errors:
(1) running with root authority
(2) failure to "sanitize" inputs
¡Viva la Resistencia!

mikecolley
Level 2
Level 2
Posts: 94
Joined: Fri May 20, 2011 5:41 am

[SOLVED]: Re: BASH vulnerability a.k.a. 'Shellshock'

Post by mikecolley »

HI All:

I loaded all level 1 and level 2 updates on my PC and ran the test and got:
***** FAIL *****
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
***** FAIL *****

I loaded all level 3 updates and ran the same test and got:
***** PASS *****
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
***** PASS *****

It is fixed for me. Thank You All!

System: LM17 Cinnamon flash drive created with LILI using SYSLINUX 4.04 on diskless HP8730w 2.8GHz, 8GB. Persistent install on 32Gig Sandisk, fully backed up weekly. Completely open PC (except for password protected documents). External 3 + 2 Gig USB rotating memory almost never plugged in to PC or anywhere.

anonymous9001
Level 2
Level 2
Posts: 59
Joined: Fri Sep 05, 2014 5:51 pm

should i be worried? CVE-2014-6271 remote exe w/ bash

Post by anonymous9001 »

https://securityblog.redhat.com/2014/09 ... on-attack/
I really don't know much about bash. Is this a problem for us Mint users? Aparently, the patch can be bypassed as well.

tamone
Level 1
Level 1
Posts: 1
Joined: Fri Sep 26, 2014 10:20 am

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by tamone »

Hello,

I am using Linux Mint Debian Edition and I could successfully upgrade my bash with your recipe of adding ftp.debian.org sid... into sources.list.
But I did not do a complete upgrade to avoid disturbing the distro based on jessie. I only did a

Code: Select all

 apt-get install bash 
after the update. Then I removed the repository sid. and it worked. Maybe I should block bash update to prevent a roll-back of the vulnerable version in the next install update ?

Thanks

Post Reply

Return to “Releases & Announcements”