Main Edition: BASH vulnerability a.k.a. 'Shellshock'

[Ubulindy]

I added this: deb http://ftp.us.debian.org/debian sid main I updated the cache and it failed, got nothing but errors. Is that not correct?

[pessimizer]

Short thread, lots of bad information.

Bug is bad, and still unpatched (the patch was bad.) Things running on mod_php, passenger, etc. through Apache and nginx are generally safe, and in Debian, you would have to have changed /bin/sh to bash manually or have applications running that exec out to scripts with a bash shebang rather than sh (pretty common, but rarely happens in Debian upstream) for normal webapps to be vulnerable. Unless you're omniscient, you probably have no idea if this happens somewhere in a pipeline that is accepting input from the internet.

If you have some app that puts a web administration server on a weird port (embedded webserver), make sure you're not forwarding it to your firewall for the time being. There's really nothing else to do about it at this point.

http://www.troyhunt.com/2014/09/everyth ... about.html

http://forum.linuxmint.com/viewtopic.ph ... 25#p928017

[Paulm]

Many thanks killer de bug your Bash update idear using sid worked super, now have 4.3-9.1

[Ubulindy]

Paulm, Can you post to me what entry you added? I'm getting nothing but failures. Thanks

Jees oh man I have added and then removed every sid repo I can find and I get errors or 404 on all of them. Getting aggravated here

[BoDill]

Hello,

I just ried to find the "Update Manager" mentioned by "Amasa" above, but do not know how to find it.

Can someone help me? You must be rather specific, because I'm obviously NOT a computer whiz.

Also, anything else you can tell me about combating this virus will be greatly apperciated.

Thank you,
BoDill,
Linux Mint 17

[nomko]

Anyway, i've tersted my system and i get this:

Code: Select all

An unaffected (or patched) system will output:

 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

So according to that scaremongering crappy article i'm save....

[niowluka]

Also, anything else you can tell me about combating this virus will be greatly apperciated.

It's not a virus, it's a vulnerability. And you don't need to combat it. Unless you're running an ultra secure webserver or something similar you have nothing to worry about.

Chill-out, grab a coffee and install the update:
Update Manager can be launched by the clicking on the shield-shaped icon in your taskbar. You should really be familiar with it, otherwise you have not been updating your system. If after launching you can't see any updates click 'refresh'. bash should show as one of the available updates. Install.

[acw89]

1.618 -- Thanks for the info ... just fixed my Linux Mint up as well.

Love not having to wait like with Windows ..

Unix -- Live FREE or DIE

[Paulm]

Yes, In software Sources add < deb http://ftp.debian.org/debian sid main contrib non-free > update the cache.
In the terminal (not the Software source manager) < sudo apt-get update > then < sudo apt-get update >
You will find there are a lot of upgrades and some that won't install. Say yes to the updates and yes when it come to the 'bash change questions'
Then when the upgrades have been installed, untick the 'ftp sid main' and update the cache and again in the terminal < sudo apt-get update >
Good luck it worked for me, The sid version should now be 4.3-9.1

[xenopeek]

For details, check the RedHat information on this: https://securityblog.redhat.com/2014/09 ... on-attack/

On Linux Mint 17 you already have the first patch for bash available through Update Manager (version 4.3-7ubuntu1.1 includes the CVE-2014-6271 patch; changelog). Same for Linux Mint 13 (version 4.2-2ubuntu2.2; changelog).

Everywhere it is being discussed the Ubuntu bash maintainer has already piped in he is working on the second part of the patch. The fix for this will arrive on Linux Mint 13 and 17 through Update Manager once available in Ubuntu.

If you're using Linux Mint as a home server, or as a public server, you might want to take additional steps now. For example there are mod_security rules you can use to catch attempts to exploit this bug on your Apache install. Home users are less susceptible to the bug being exploited, as they're not running services on Internet reachable ports.

Edit: patch for LMDE is underway. You could download the complete patch already from Debian unstable if you are using LMDE as a server: https://packages.debian.org/source/unstable/bash

[Habitual]

So according to that scaremongering crappy article i'm save....

Code: Select all

apt-get changelog bash | less

Get:1 Changelog for bash (http://changelogs.ubuntu.com/changelogs ... /changelog) [123 kB]
bash (4.3-7ubuntu1.1) trusty-security; urgency=medium

* SECURITY UPDATE: incorrect function parsing
- debian/patches/CVE-2014-6271.diff: fix function parsing in
builtins/common.h, builtins/evalstring.c, subst.c, variables.c.
- CVE-2014-6271

[Habitual]

Code: Select all

apt-get changelog bash | less

Get:1 Changelog for bash (http://changelogs.ubuntu.com/changelogs ... /changelog) [123 kB]
bash (4.3-7ubuntu1.1) trusty-security; urgency=medium

* SECURITY UPDATE: incorrect function parsing
- debian/patches/CVE-2014-6271.diff: fix function parsing in
builtins/common.h, builtins/evalstring.c, subst.c, variables.c.
- CVE-2014-6271

-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 22 Sep 2014 15:26:16 -0400

Code: Select all

System:    Host: my-kungfu Kernel: 3.13.0-24-generic x86_64 (64 bit) Desktop: Xfce 4.11.6
           Distro: Linux Mint 17 Qiana

[DrHu]

About the BBC version of the story

• "To achieve a more stable and secure technology environment in which businesses and individuals can feel truly safe, we have to peel back the layers, start at the bottom and work up," he said.
  "This is utterly symptomatic of the historic neglect we have seen for the development of a dependable and trustworthy baseline upon which to develop a software infrastructure for the UK.

No-one: commercial OS or applications, or OSS (same) is doing that, nor likely ever intends to

I also looked at the RED HAT security info (and the knowledge base link), and it is as said not as click-bait as the BBC article.
--to me it looks like that older bug SQL injection as far as how it may affect users or be handled by the developer(s) of BASH..

And I didn't see anyone suggest using another shell such as Korn or C-shell; or perhaps some other choice
https://en.wikipedia.org/wiki/Unix_shell
--perhaps they have the same issue and no-one has thought to tell us yet..

[acerimusdux]

1) Is "nefarious" accurate or should they have used "careless" in describing the function "which can enable network exploitation" ? Did they really mean an arbitrary environment variable itself is nefarious? Did the arbitrarily named environment variables originate from bash features or the attacker?

It's nefarious in the sense that the attacker can essentially write his own function and inject it via a value stored in an environement variable, so if the attacker is nefarious, then the function is likely to be.

An arbitrary environement variable isn't neccessarily nefarious, but they shouldn't be so easily executed as code. A function being defined and saved in a variable isn't bad either, as something still has to call it. But that's not the case here. The problem here is that code can be inserted after the definition and it will execute (without the fuction having to be called).

2) Are any of these features used in an automated / background way that I wouldn't necessarily see on my screen? ( I.e. upon boot, or running Update Manager, or some other program )

That depends on how observant you are about what is running on your system. There are some desktop users who are unaware they are even running a web-server (usually because some application installed one as a dependency). If you are running no services that are accessible remotely, and/or a good firewall that prevents outside access to any services that are running on open ports, then you would be pretty well protected. So this is more a risk to anyone who is running a web-server (especially with cgi scripting), or using ssh for remote access, or allowing any other form of remote access. But there has been some talk that even some dhcp clients may be vulnerable, something lots of desktop users might have running. And, it appears even if your Mint desktop is safe, a number of routers may be vulnerable; if an attacker can own your router, they can easily redirect traffic, capture traffic (including passwords), spoof secure banking sites, etc.

1) 3) Would attacks have been effective against a machine with SELinux installed with one of the two default configurations? Apparently no authorization was required for the code injection.

A key point here is no authorization necessarily required for code injection. Anything that can save something into an environment variable, can cause code to be executed whenever bash is run (as it reads the environment variables). For example, my understanding is that CGI parses headers as environment variables. So your website doesn't even need to be allowing form input for example, the attacker can insert the attack right into an http request header.

SE Linux properly configured may provide some protection against some possible commands being executed, but there are likely lots of possible attacks which it still wouldn't prevent.

4) Should I be asking different questions here?

Thanks

Look like good questions to me.

The main thing is that Mint is not especially vulnerable, as it does not use bash as it's default shell. However, bash is still apparently considered an essential package. For example:

Code: Select all

sudo apt-get remove bash
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  bash bash-completion inxi mint-meta-core mint-meta-mate
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
  bash
0 upgraded, 0 newly installed, 5 to remove and 39 not upgraded.
After this operation, 2,924 kB disk space will be freed.
You are about to do something potentially harmful.
To continue type in the phrase 'Yes, do as I say!'
 ?] 
Abort.

I'm tempted to try going ahead and removing it anyway, as I suspect it may not really be that essential, but I figured I'd better get this post written before I crash my machine.

But that's the question I would ask, is it safe to simply remove bash?

That seems to me to be the simplest most foolproof solution, if it's not actually being used for anything important!

[Ubulindy]

UPDATE: ok, that all worked, however now I have another problem, I have NO grub. A menu came up, it asked about grub-install pc. It listed my drives, and had a red mark in both. When I tried to select either, it wouldn't let me do a thing. Then it kept going to another menu telling me "yes" or "no" to install grub. I couldnt proceed any further. What should I di? I tried: sudo grub-install /dev/sda and sudo grub-install /dev/sda1 and got this:

sudo grub-install /dev/sda1
[sudo] password for dementia:
Installing for i386-pc platform.
grub-install: warning: File system `ext2' doesn't support embedding.
grub-install: warning: Embedding is not possible. GRUB can only be installed in this setup by using blocklists. However, blocklists are UNRELIABLE and their use is discouraged..
grub-install: error: will not proceed with blocklists.
dementia@dementia:~$ sudo grub-install /dev/sda
Installing for i386-pc platform.
grub-install: warning: this GPT partition label contains no BIOS Boot Partition; embedding won't be possible.
grub-install: warning: Embedding is not possible. GRUB can only be installed in this setup by using blocklists. However, blocklists are UNRELIABLE and their use is discouraged..
grub-install: error: will not proceed with blocklists.

[greenpete]

My system hasn't found any updates and according to Ars T I still have a vulnerable system... http://arstechnica.com/security/2014/09 ... -in-it/#p3

I ran the test they mention and the results suggest my system is not patched, plus I haven't had an update for a while.

I have checked everything and all seems fine in regards to updates working including running 'sudo apt-get update' and 'sudo apt-get upgrade' but I see no updates at all, let alone for 'Shellshock'.

[pe1800]

I run Mint 16 KDE, for personal use, not a server, is a bug fix for that version coming up?

[xenopeek]

I run Mint 16 KDE, for personal use, not a server, is a bug fix for that version coming up?

Except for Linux Mint 13 and 17, all Linux Mint versions are obsolete and have reached end of support (no fixes are coming for anything; and haven't been coming for a long while now...). You should plan to install Linux Mint 17. Read the global announcement for more information: http://forums.linuxmint.com/viewtopic.php?t=173378

[BoDill]

To niowluka,

Thank you very much!!! Being new at Linux, I had not clicked on the "Shield" before. Following your instructions, I had about an hours worth of updates. Now I will likley check it daily!!!

By the way, I have seen a few versions of code, simllar to the ones below, to type into a Terminal to determine if my computer is "infected". Is there anyone at Linux Mint who can tell me exactly what to type and what to look for?
env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"


BoDill

[mickey6]

Does that mean the update has already been pushed out through the Update Manager, or do I need to do this: http://www.ubuntu.com/usn/usn-2362-1/ ?