Main Edition: BASH vulnerability a.k.a. 'Shellshock'

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics.Please do not add support questions to threads here,use the appropriate support forum instead
User avatar
Ubulindy
Level 2
Level 2
Posts: 69
Joined: Sun Mar 02, 2014 6:27 pm
Location: 127.0.0.1

Re: Vulnerability in Bash

Post by Ubulindy »

I added this: deb http://ftp.us.debian.org/debian sid main I updated the cache and it failed, got nothing but errors. Is that not correct?
“When the government’s boot is on your throat, whether it is a left boot or a right boot is of no consequence."
pessimizer
Level 1
Level 1
Posts: 2
Joined: Thu Sep 25, 2014 10:49 am

Re: Recent bash vulnerability and patch questions

Post by pessimizer »

Short thread, lots of bad information.

Bug is bad, and still unpatched (the patch was bad.) Things running on mod_php, passenger, etc. through Apache and nginx are generally safe, and in Debian, you would have to have changed /bin/sh to bash manually or have applications running that exec out to scripts with a bash shebang rather than sh (pretty common, but rarely happens in Debian upstream) for normal webapps to be vulnerable. Unless you're omniscient, you probably have no idea if this happens somewhere in a pipeline that is accepting input from the internet.

If you have some app that puts a web administration server on a weird port (embedded webserver), make sure you're not forwarding it to your firewall for the time being. There's really nothing else to do about it at this point.

http://www.troyhunt.com/2014/09/everyth ... about.html

http://forum.linuxmint.com/viewtopic.ph ... 25#p928017
Paulm
Level 1
Level 1
Posts: 25
Joined: Tue Sep 27, 2011 6:25 am

Re: Vulnerability in Bash

Post by Paulm »

Many thanks killer de bug your Bash update idear using sid worked super, now have 4.3-9.1 8)
User avatar
Ubulindy
Level 2
Level 2
Posts: 69
Joined: Sun Mar 02, 2014 6:27 pm
Location: 127.0.0.1

Re: Vulnerability in Bash

Post by Ubulindy »

Paulm, Can you post to me what entry you added? I'm getting nothing but failures. Thanks

Jees oh man I have added and then removed every sid repo I can find and I get errors or 404 on all of them. Getting aggravated here :(
Last edited by Ubulindy on Thu Sep 25, 2014 3:02 pm, edited 2 times in total.
“When the government’s boot is on your throat, whether it is a left boot or a right boot is of no consequence."
BoDill
Level 4
Level 4
Posts: 402
Joined: Thu Apr 10, 2014 4:31 pm
Location: Cortland, NY

Re: What's this about bash?

Post by BoDill »

Hello,

I just ried to find the "Update Manager" mentioned by "Amasa" above, but do not know how to find it.

Can someone help me? You must be rather specific, because I'm obviously NOT a computer whiz.

Also, anything else you can tell me about combating this virus will be greatly apperciated.

Thank you,
BoDill,
Linux Mint 17
Desktop: OptiPlex-990 ; Linux Mint 19.1 Tessa
Laptop: Dell Latitude E6420; Linux Mint 19.1 Tessa
Laptop 2: HP Pavilion g7; Linux Mint 20 "Ulyana" Cinnamon
nomko

Re: Recent bash vulnerability and patch questions

Post by nomko »

Anyway, i've tersted my system and i get this:

Code: Select all

An unaffected (or patched) system will output:

 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test
So according to that scaremongering crappy article i'm save....
niowluka
Level 5
Level 5
Posts: 729
Joined: Tue May 27, 2014 6:28 pm
Location: Krakow, Poland

Re: What's this about bash?

Post by niowluka »

BoDill wrote: Also, anything else you can tell me about combating this virus will be greatly apperciated.
It's not a virus, it's a vulnerability. And you don't need to combat it. Unless you're running an ultra secure webserver or something similar you have nothing to worry about.

Chill-out, grab a coffee and install the update:
Update Manager can be launched by the clicking on the shield-shaped icon in your taskbar. You should really be familiar with it, otherwise you have not been updating your system. If after launching you can't see any updates click 'refresh'. bash should show as one of the available updates. Install.
Mint 17 Openbox (MATE) 64bit | Linux 4.1.6 (Vanilla)

Gigabyte GA-880GA-UD3H | AMD Phenom II X4 965 3.4Ghz | G.Skill 8GB DDR3-1600 RipjawsX, F3-12800CL8D-8GBXM | MSI R7 260X 2048 MB GDDR5 OC
User avatar
acw89
Level 2
Level 2
Posts: 81
Joined: Wed May 04, 2011 6:29 pm

Re: Shellshock bug in BASH . . . [Solved]

Post by acw89 »

1.618 -- Thanks for the info ... just fixed my Linux Mint up as well.

Love not having to wait like with Windows ..

Unix -- Live FREE or DIE
--
Purrs,

-Desert Catmom >^..^<

Linux User # 482905
Paulm
Level 1
Level 1
Posts: 25
Joined: Tue Sep 27, 2011 6:25 am

Re: Vulnerability in Bash

Post by Paulm »

Yes, In software Sources add < deb http://ftp.debian.org/debian sid main contrib non-free > update the cache.
In the terminal (not the Software source manager) < sudo apt-get update > then < sudo apt-get update >
You will find there are a lot of upgrades and some that won't install. Say yes to the updates and yes when it come to the 'bash change questions'
Then when the upgrades have been installed, untick the 'ftp sid main' and update the cache and again in the terminal < sudo apt-get update >
Good luck it worked for me, The sid version should now be 4.3-9.1
User avatar
xenopeek
Level 24
Level 24
Posts: 24855
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Shellshock: Bash bug

Post by xenopeek »

For details, check the RedHat information on this: https://securityblog.redhat.com/2014/09 ... on-attack/

On Linux Mint 17 you already have the first patch for bash available through Update Manager (version 4.3-7ubuntu1.1 includes the CVE-2014-6271 patch; changelog). Same for Linux Mint 13 (version 4.2-2ubuntu2.2; changelog).

Everywhere it is being discussed the Ubuntu bash maintainer has already piped in he is working on the second part of the patch. The fix for this will arrive on Linux Mint 13 and 17 through Update Manager once available in Ubuntu.

If you're using Linux Mint as a home server, or as a public server, you might want to take additional steps now. For example there are mod_security rules you can use to catch attempts to exploit this bug on your Apache install. Home users are less susceptible to the bug being exploited, as they're not running services on Internet reachable ports.

Edit: patch for LMDE is underway. You could download the complete patch already from Debian unstable if you are using LMDE as a server: https://packages.debian.org/source/unstable/bash
Image
Habitual
Level 13
Level 13
Posts: 4863
Joined: Sun Nov 21, 2010 8:31 pm
Location: 0.0.0.0

Re: Recent bash vulnerability and patch questions

Post by Habitual »

nomko wrote:So according to that scaremongering crappy article i'm save....

Code: Select all

apt-get changelog bash | less
Get:1 Changelog for bash (http://changelogs.ubuntu.com/changelogs ... /changelog) [123 kB]
bash (4.3-7ubuntu1.1) trusty-security; urgency=medium

* SECURITY UPDATE: incorrect function parsing
- debian/patches/CVE-2014-6271.diff: fix function parsing in
builtins/common.h, builtins/evalstring.c, subst.c, variables.c.
- CVE-2014-6271
Habitual
Level 13
Level 13
Posts: 4863
Joined: Sun Nov 21, 2010 8:31 pm
Location: 0.0.0.0

Re: Shellshock: Bash bug

Post by Habitual »

Code: Select all

apt-get changelog bash | less
Get:1 Changelog for bash (http://changelogs.ubuntu.com/changelogs ... /changelog) [123 kB]
bash (4.3-7ubuntu1.1) trusty-security; urgency=medium

* SECURITY UPDATE: incorrect function parsing
- debian/patches/CVE-2014-6271.diff: fix function parsing in
builtins/common.h, builtins/evalstring.c, subst.c, variables.c.
- CVE-2014-6271

-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 22 Sep 2014 15:26:16 -0400

Code: Select all

System:    Host: my-kungfu Kernel: 3.13.0-24-generic x86_64 (64 bit) Desktop: Xfce 4.11.6
           Distro: Linux Mint 17 Qiana
User avatar
DrHu
Level 17
Level 17
Posts: 7523
Joined: Wed Jun 17, 2009 8:20 pm

Re: Shellshock: Bash bug

Post by DrHu »

About the BBC version of the story
  • "To achieve a more stable and secure technology environment in which businesses and individuals can feel truly safe, we have to peel back the layers, start at the bottom and work up," he said.
    "This is utterly symptomatic of the historic neglect we have seen for the development of a dependable and trustworthy baseline upon which to develop a software infrastructure for the UK.
No-one: commercial OS or applications, or OSS (same) is doing that, nor likely ever intends to

I also looked at the RED HAT security info (and the knowledge base link), and it is as said not as click-bait as the BBC article.
--to me it looks like that older bug SQL injection as far as how it may affect users or be handled by the developer(s) of BASH..

And I didn't see anyone suggest using another shell such as Korn or C-shell; or perhaps some other choice
https://en.wikipedia.org/wiki/Unix_shell
--perhaps they have the same issue and no-one has thought to tell us yet..
acerimusdux
Level 4
Level 4
Posts: 343
Joined: Sat Dec 26, 2009 3:36 pm

Re: Recent bash vulnerability and patch questions

Post by acerimusdux »

linx255 wrote:1) Is "nefarious" accurate or should they have used "careless" in describing the function "which can enable network exploitation" ? Did they really mean an arbitrary environment variable itself is nefarious? Did the arbitrarily named environment variables originate from bash features or the attacker?
It's nefarious in the sense that the attacker can essentially write his own function and inject it via a value stored in an environement variable, so if the attacker is nefarious, then the function is likely to be.

An arbitrary environement variable isn't neccessarily nefarious, but they shouldn't be so easily executed as code. A function being defined and saved in a variable isn't bad either, as something still has to call it. But that's not the case here. The problem here is that code can be inserted after the definition and it will execute (without the fuction having to be called).
linx255 wrote:2) Are any of these features used in an automated / background way that I wouldn't necessarily see on my screen? ( I.e. upon boot, or running Update Manager, or some other program )
That depends on how observant you are about what is running on your system. There are some desktop users who are unaware they are even running a web-server (usually because some application installed one as a dependency). If you are running no services that are accessible remotely, and/or a good firewall that prevents outside access to any services that are running on open ports, then you would be pretty well protected. So this is more a risk to anyone who is running a web-server (especially with cgi scripting), or using ssh for remote access, or allowing any other form of remote access. But there has been some talk that even some dhcp clients may be vulnerable, something lots of desktop users might have running. And, it appears even if your Mint desktop is safe, a number of routers may be vulnerable; if an attacker can own your router, they can easily redirect traffic, capture traffic (including passwords), spoof secure banking sites, etc.
linx255 wrote:1) 3) Would attacks have been effective against a machine with SELinux installed with one of the two default configurations? Apparently no authorization was required for the code injection.
A key point here is no authorization necessarily required for code injection. Anything that can save something into an environment variable, can cause code to be executed whenever bash is run (as it reads the environment variables). For example, my understanding is that CGI parses headers as environment variables. So your website doesn't even need to be allowing form input for example, the attacker can insert the attack right into an http request header.

SE Linux properly configured may provide some protection against some possible commands being executed, but there are likely lots of possible attacks which it still wouldn't prevent.
linx255 wrote: 4) Should I be asking different questions here?

Thanks
Look like good questions to me.

The main thing is that Mint is not especially vulnerable, as it does not use bash as it's default shell. However, bash is still apparently considered an essential package. For example:

Code: Select all

sudo apt-get remove bash
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  bash bash-completion inxi mint-meta-core mint-meta-mate
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
  bash
0 upgraded, 0 newly installed, 5 to remove and 39 not upgraded.
After this operation, 2,924 kB disk space will be freed.
You are about to do something potentially harmful.
To continue type in the phrase 'Yes, do as I say!'
 ?] 
Abort.
I'm tempted to try going ahead and removing it anyway, as I suspect it may not really be that essential, but I figured I'd better get this post written before I crash my machine. :)

But that's the question I would ask, is it safe to simply remove bash?

That seems to me to be the simplest most foolproof solution, if it's not actually being used for anything important!
User avatar
Ubulindy
Level 2
Level 2
Posts: 69
Joined: Sun Mar 02, 2014 6:27 pm
Location: 127.0.0.1

Re: Vulnerability in Bash

Post by Ubulindy »

UPDATE: ok, that all worked, however now I have another problem, I have NO grub. A menu came up, it asked about grub-install pc. It listed my drives, and had a red mark in both. When I tried to select either, it wouldn't let me do a thing. Then it kept going to another menu telling me "yes" or "no" to install grub. I couldnt proceed any further. What should I di? I tried: sudo grub-install /dev/sda and sudo grub-install /dev/sda1 and got this:

sudo grub-install /dev/sda1
[sudo] password for dementia:
Installing for i386-pc platform.
grub-install: warning: File system `ext2' doesn't support embedding.
grub-install: warning: Embedding is not possible. GRUB can only be installed in this setup by using blocklists. However, blocklists are UNRELIABLE and their use is discouraged..
grub-install: error: will not proceed with blocklists.
dementia@dementia:~$ sudo grub-install /dev/sda
Installing for i386-pc platform.
grub-install: warning: this GPT partition label contains no BIOS Boot Partition; embedding won't be possible.
grub-install: warning: Embedding is not possible. GRUB can only be installed in this setup by using blocklists. However, blocklists are UNRELIABLE and their use is discouraged..
grub-install: error: will not proceed with blocklists.
“When the government’s boot is on your throat, whether it is a left boot or a right boot is of no consequence."
User avatar
greenpete
Level 1
Level 1
Posts: 24
Joined: Mon Oct 28, 2013 3:32 pm

Re: What's this about bash?

Post by greenpete »

My system hasn't found any updates and according to Ars T I still have a vulnerable system... http://arstechnica.com/security/2014/09 ... -in-it/#p3

I ran the test they mention and the results suggest my system is not patched, plus I haven't had an update for a while.

I have checked everything and all seems fine in regards to updates working including running 'sudo apt-get update' and 'sudo apt-get upgrade' but I see no updates at all, let alone for 'Shellshock'. :(
LinuxMint 18.2 64bit on an no brand ASrock - i5 - 12GB ram
pe1800
Level 1
Level 1
Posts: 49
Joined: Wed Feb 05, 2014 4:04 pm

Re: Shellshock: Bash bug

Post by pe1800 »

I run Mint 16 KDE, for personal use, not a server, is a bug fix for that version coming up?
User avatar
xenopeek
Level 24
Level 24
Posts: 24855
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Shellshock: Bash bug

Post by xenopeek »

pe1800 wrote:I run Mint 16 KDE, for personal use, not a server, is a bug fix for that version coming up?
Except for Linux Mint 13 and 17, all Linux Mint versions are obsolete and have reached end of support (no fixes are coming for anything; and haven't been coming for a long while now...). You should plan to install Linux Mint 17. Read the global announcement for more information: http://forums.linuxmint.com/viewtopic.php?t=173378
Image
BoDill
Level 4
Level 4
Posts: 402
Joined: Thu Apr 10, 2014 4:31 pm
Location: Cortland, NY

Re: What's this about bash?

Post by BoDill »

To niowluka,

Thank you very much!!! Being new at Linux, I had not clicked on the "Shield" before. Following your instructions, I had about an hours worth of updates. Now I will likley check it daily!!!

By the way, I have seen a few versions of code, simllar to the ones below, to type into a Terminal to determine if my computer is "infected". Is there anyone at Linux Mint who can tell me exactly what to type and what to look for?
env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"


BoDill
Desktop: OptiPlex-990 ; Linux Mint 19.1 Tessa
Laptop: Dell Latitude E6420; Linux Mint 19.1 Tessa
Laptop 2: HP Pavilion g7; Linux Mint 20 "Ulyana" Cinnamon
mickey6
Level 1
Level 1
Posts: 23
Joined: Sun Jun 29, 2014 2:13 pm

Re: Shellshock bug in BASH . . . [Solved]

Post by mickey6 »

Does that mean the update has already been pushed out through the Update Manager, or do I need to do this: http://www.ubuntu.com/usn/usn-2362-1/ ?
Post Reply

Return to “Releases & Announcements”