Main Edition: BASH vulnerability a.k.a. 'Shellshock'

[eanfrid]

Looks like you are running an unsupported LM release. LM13 and LM17 already provide patched versions.

[nomko]

Already asked and answered:

http://forum.linuxmint.com/viewtopic.php?f=200&t=178897
http://forum.linuxmint.com/viewtopic.php?f=6&t=178925


Next time, please search the forum first for related topics before posting the same question/issue/problem again.

[eanfrid]

Debian and Ubuntu use /bin/sh, symlinked to /bin/dash (not bash) for system scripts. Unless you use user/custom or alternate system scripts using /bin/bash, you were not much at risk. I don't think SELinux would actually be useful there. It is overrated regarding this kind of threats.

[jonniosaurus]

I'm on 16

[eanfrid]

Then you will never again get bug fixes or security updates...
http://forums.linuxmint.com/viewtopic.p ... 3&t=173378

[linx255]

@nomko: I don't think you read my post. My questions were not answered on those links which I already visited prior to posting. Yes, I know it has already been patched... My questions remain.

@eanfrid: I use /bin/bash for all my scripts, never dash. I have switched from dash to bash because I like its functionality and speed doesn't matter.

Even though it has been patched I like to know more about the topic than what I've seen on forums and news articles so far, and my questions are about the past, now what is now. Best!

[nomko]

Just read 1 or 2 things about this so-called "vulnerability". Just read 1 or 2 things about this so-called "vulnerability". IMHO this is a minor issue blown up to unscalable proportions.

First thing:
It looks like it is written by somebody who does not understand the functioning and essence of a UNIX system. He writes about bash like it is a Linux/Apple issue, but it is not. It's about bash as an application that does not run only on Linux or Apple, but on many more systems.

Secondly, this so-called threat isn't a threat like some Windows virus. This is a application leak which can only be harmfull under your own account. Nevertheless anyone must first gain access to that account and deliberate and knowingly download such script and run it. And after running that script, it will only harm your account and not the entire installation.

This issue is especially dangerous as there are many possible ways Bash can be called by an application

Yes, there are many ways: php, perl and many other script languages.

could leave systems running those operating systems open to exploitation by specially crafted attacks

Special scripts which needs to be downloaded delibratly and knowingly. Else how will you get a script on your system without knowing it when that script cannot bypass the root/right management system?

Another crappy story that has been blown up out of proportion....

[ithoughtyouhadit]

Well this is embarrassing, what am I supposed to tell my friends?
I've been telling them how perfect it is and how it's almost immune to viruses.

http://www.bbc.co.uk/news/technology-29361794

[1.618]

Ah, i just logged in to ask about this but you beat me to it......

https://www.us-cert.gov/ncas/current-ac ... nerability

http://lists.gnu.org/archive/html/bug-b ... reads.html

https://securityblog.redhat.com/2014/09 ... on-attack/

[1.618]

Well according to this the issue can be corrected

http://www.ubuntu.com/usn/usn-2362-1/

[ktheking]

LM13 and LM17 already provide patched versions.

Where did you got this info ? I doubt it that's the case.
This is about this bug , no ? : http://www.csoonline.com/article/268726 ... -6271.html

[ithoughtyouhadit]

Brilliant, I'll make sure I'm updated... thanks for that.

[Pilosopong Tasyo]

Well this is embarrassing, what am I supposed to tell my friends?

Tell them it's already patched up. All they have to do is install security updates from their update manager.

I have a gut feeling fear-mongers will blow this issue out of proportion in the next several days. The patch has already been issued hours ago. I wonder if these tech/news/blog sites are going to report about the patch instead of feasting on this media circus.

[eanfrid]

For LM17: v 4.3-7ubuntu1.1

721204ae4641ed.png

For LM13: v 4.2-2ubuntu2.2

683191d40594d6.png

[Habitual]

I've been telling them how perfect it is and how it's almost immune to viruses.

It's not a virus.
Linux is NOT immune to vulnerabilities, then you tell them the difference between a virus and a vulnerability.
Then tell them how they didn't have to wait for "Patch Tuesday" to get a fix.
Makes you look smart.

[linx255]

Else how will you get a script on your system without knowing it when that script cannot bypass the root/right management system?...
Another crappy story that has been blown up out of proportion....

Yeah, that's the first thing I thought. How would they even get code on there in the first place? Lol. If it's just a matter of keeping unauthorized users from accessing your root-enabled machine, well, that's nothing new for sure. They made it sound like your server could be attacked out of the blue without gaining authentication, which made no sense.

[karlchen]

[Info]
Mint 13 - Updates received today

Code: Select all

bash (4.2-2ubuntu2.2) precise-security; urgency=medium

  * SECURITY UPDATE: incorrect function parsing
    - debian/patches/CVE-2014-6271.diff: fix function parsing in
      bash/builtins/common.h, bash/builtins/evalstring.c, bash/variables.c.
    - CVE-2014-6271

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 22 Sep 2014 15:31:07 -0400

Code: Select all

Commit Log for Thu Sep 25 16:37:56 2014
The following packages have been updated:
bash (4.2-2ubuntu2.1) to 4.2-2ubuntu2.2
libnss3 (3.17-0ubuntu0.12.04.1) to 3.17.1-0ubuntu0.12.04.1
libnss3-1d (3.17-0ubuntu0.12.04.1) to 3.17.1-0ubuntu0.12.04.1

I know I received the correpsonding bash update for Mint 17 last night. Cannot post the software package changelog at this point in time because I am sitting front of my Mint 13 office machine.

Don't panic. Update. Be happy.

Karl

[pessimizer]

Just to update on this:

1) it is a major bug, there are many proofs of concept, including through dhclient and through crafting headers in GETs that are passed to programs through cgi (I think that the ktorrent remote web administration interface seems like the type of thing that would be vulnerable - I haven't tested yet, just cut it off from the open web.)

2) The patch doesn't work.

3) Exploits are in the wild, right now.

Everything you need to know about the Shellshock Bash bug: http://www.troyhunt.com/2014/09/everyth ... about.html
CVE-2014-7169: Bash Fix Incomplete, Still Exploitable: http://seclists.org/oss-sec/2014/q3/685
Bash 'shellshock' bug is wormable: http://blog.erratasec.com/2014/09/bash- ... mable.html
ShellShock exploited in the wild: kernel exploit with CnC component: https://gist.github.com/anonymous/929d622f3b36b00c0be1

[niowluka]

Else how will you get a script on your system without knowing it when that script cannot bypass the root/right management system?...
Another crappy story that has been blown up out of proportion....

Yeah, that's the first thing I thought. How would they even get code on there in the first place? Lol. If it's just a matter of keeping unauthorized users from accessing your root-enabled machine, well, that's nothing new for sure. They made it sound like your server could be attacked out of the blue without gaining authentication, which made no sense.

In SSH I think it's a matter of executing a command similar to the test one. According to RedHat one can bypass the SSH command restrictions this way. Of course, someone would have to login first, so 'duh!'.

The httpd exploit has something to do with cgi scripts, so that's beyond me.

Anyway, no known exploits exist, and the only poeple who should be worried are most likely not on this forum, or have anything to do with Mint for that matter...

[niowluka]

1) it is a major bug, there are many proofs of concept, including through dhclient and through crafting headers in GETs that are passed to programs through cgi (I think that the ktorrent remote web administration interface seems like the type of thing that would be vulnerable - I haven't tested yet, just cut it off from the open web.)

2) The patch doesn't work.

3) Exploits are in the wild, right now.