Critical Linux, Unix, Mac security vulnerability found in bash shell
119 replies, posted
[quote]A security vulnerability in the GNU Bourne Again Shell (Bash), the command-line shell used in many Linux and Unix operating systems, could leave systems running those operating systems open to exploitation by specially crafted attacks. “This issue is especially dangerous as there are many possible ways Bash can be called by an application,” a Red Hat security advisory warned.[/quote]
[url=http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/]Source: Arstechnica[/url]
Well, that sucks.
It's already been fucking fixed
Really only an issue if you just next and take all the defaults of an distro and don't update.
May still effect macs
Install Gentoo?
Microsoft windows mustard race
[QUOTE=Sam Za Nemesis;46073098]Yeah and every single server and client on earth are running the patch[/QUOTE]
They can only blame themselves for not keeping their system up-to-date.
[QUOTE=DerpishCat;46072849]It's already been fucking fixed[/QUOTE]
Wrong, fix is flawed.
CVE-2014-7169
This is a maximum severity security bug, that's currently live, with no available mitigation.
This is about a million times worse than Heartbleed could have ever been.
[url]https://security-tracker.debian.org/tracker/CVE-2014-7169[/url]
Shut down everything on your servers that uses CGI - I straight-up killed apache, and did some other things.
And it can be exploited through SSH, with no authentication.
And DHCP. And I believe Samba.
It's bad.
Also, the bug affects Bash versions for the last 25 years.
[QUOTE=JohnFisher89;46072860]Really only an issue if you just next and take all the defaults of an distro[/QUOTE]
Changing your shell is generally not something regarded as security critical.
[quote]and don't update[/quote]
This has been out for a few hours and if you're running a vulnerable service and haven't updated by now, your server is very very likely to be part of a botnet by now.
[editline]25th September 2014[/editline]
[QUOTE=nikomo;46073293]Wrong, fix is flawed.
CVE-2014-7169
This is a maximum severity security bug, that's currently live, with no available mitigation.
This is about a million times worse than Heartbleed could have ever been.
[url]https://security-tracker.debian.org/tracker/CVE-2014-7169[/url][/QUOTE]
Supposedly fixed already, see this (and further replies in that thread).
[url]http://www.openwall.com/lists/oss-security/2014/09/25/10[/url]
There's also a patch that takes the entire feature out of bash (made against 4.3.24, not 4.3.25):
[url]http://pastebin.com/mT7hY37Z[/url]
[QUOTE=nikomo;46073293]
Also, the bug affects Bash versions for the last 25 years.[/QUOTE]
Holy shit.
This means that even my Irix machines are affected.
[QUOTE=DrTaxi;46073319]
Supposedly fixed already, see this (and further replies in that thread).
[url]http://www.openwall.com/lists/oss-security/2014/09/25/10[/url][/QUOTE]
From the looks of it, that fix is being tested (last post asked for it to be tested) and is not live at that moment in time.
It's not fixed until upstream officially publishes the fix, and distributions distribute it.
[QUOTE=Rar;46073635]From the looks of it, that fix is being tested (last post asked for it to be tested) and is not live at that moment in time.[/QUOTE]
It has been posted. That is enough for you to apply it to bash 4.3.25 and compile it yourself.
If you're a Linux/Unix admin, that's what you're supposed to do.
[QUOTE=DrTaxi;46073732]It has been posted. That is enough for you to apply it to bash 4.3.25 and compile it yourself.
If you're a Linux/Unix admin, that's what you're supposed to do.[/QUOTE]
What about people running legacy systems where either the vendor has gone out of business or no longer provides support? Are we completely fucked?
[QUOTE=pentium;46073750]What about people running legacy systems where either the vendor has gone out of business or no longer provides support? Are we completely fucked?[/QUOTE]
Only if they run GNU bash and you can't replace it.
Killed all my *NIX Servers and will rebuild them after this has been fixed.
Bash is running on my Windows Servers aswell, but atleast theres no *CGI or SSH that can be fucked with.
What do you need bash on a Windows server for?
[QUOTE=DrTaxi;46073956]What do you need bash on a Windows server for?[/QUOTE]
I use MSYS2 on my servers, which is very useful for shifting trough gigantic log files, and other general tasks.
[QUOTE=Fatfatfatty;46072998]Microsoft windows mustard race[/QUOTE]
This was only found by the public because it's open source, these exist in Windows but they won't be fixed until a zero day because it's closed source. The only reason closed source software doesn't have the laughing stock tier bad repuatation it should have is [I]because[/I] it's closed source, so you can't see its critical vulnerabilities in plain site.
Should I as a regular user be worried about this or is it only something that is dangerous to servers?
Well that was quick. Just found this in my VPS's apache access log:
89.207.135.125 - - [25/Sep/2014:03:46:42 -0500] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 506 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
Appeared to target a cPanel CGI plugin that allows for remote code execution.
[editline]25th September 2014[/editline]
209.126.230.72 - - [25/Sep/2014:00:51:48 -0500] "GET / HTTP/1.0" 200 381 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
It's not a plugin for cPanel, it's a feature of cPanel.
It appears that damn near every cPanel installation would be vulnerable.
[QUOTE=SPESSMEHREN;46074066]Well that was quick. Just found this in my VPS's apache access log:
89.207.135.125 - - [25/Sep/2014:03:46:42 -0500] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 506 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
Appeared to target a cPanel CGI plugin that allows for remote code execution.
[editline]25th September 2014[/editline]
209.126.230.72 - - [25/Sep/2014:00:51:48 -0500] "GET / HTTP/1.0" 200 381 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"[/QUOTE]
209.126.230.72 - - [24/Sep/2014:22:58:18 -0400] "GET / HTTP/1.0" 200 902 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
Same here.
[QUOTE=SPESSMEHREN;46074066]Well that was quick. Just found this in my VPS's apache access log:
89.207.135.125 - - [25/Sep/2014:03:46:42 -0500] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 506 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
Appeared to target a cPanel CGI plugin that allows for remote code execution.
[editline]25th September 2014[/editline]
209.126.230.72 - - [25/Sep/2014:00:51:48 -0500] "GET / HTTP/1.0" 200 381 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"[/QUOTE]
Some of my nodes also logged requests with the exploit.
This is bad.
Bad would be the understatement of the century.
Noted that the errata blogger scanned me, shut all my shit down until maintainers push a real fix out.
[QUOTE=kaukassus;46074210]Some of my nodes also logged requests with the exploit.[/QUOTE]
Only some? Robert Graham regularly scans the entire internet* for stuff.
*public IPv4 address space, minus US government ranges
[QUOTE=DerpishCat;46073248]They can only blame themselves for not [B]keeping their system up-to-date[/B].[/QUOTE]
Says the guy running 98
It seems if you're running nginx as a frontend as opposed to Apache, you're probably okay as nginx doesn't seem to pass env variables (web server wise)
Talked to my unofficial SGI rep and it seems that I'm in the green unless:
-If you use a bash script for CGI
-If you've replaced /bin/sh with bash
Neither apply on me so I'm okay.
Sorry, you need to Log In to post a reply to this thread.