ICS/Lotus (mostly), Linux, Travel, Skiing, Mixology, and Random Musing of Interest

 
Bill Malchisky
 

Archives

    Links

    Find me here…

  • Skype
  • Bleedyellow via Sametime

    • BillMal Your Lotus Pal

    Linux Bash Bug - Shellshock - is Real: Get Patched (AIX, Mac Too)

    Bill Malchisky  September 25 2014 06:00:00 AM
    This is ugly, but fortunately you just have to update to a fixed Bash version and you are fine (for now). No need to reboot your system either. Red Hat is out early on this and escalated this appropriately. Their first round of updates got all but one exploit permutation, so they re-issued another bug identifier and are working to close it soon.

    Their initial timeline: Red Hat announced the bug on 14 Sep, had a proposed upstream patch seven hours later (0500h 15 Sep), backported it to Bash 3.0, 3.1, 3,2, 4.0, 4.1, and 4.2 three days later on 18 Sep; announced the release 1h later and made it public with an updated issue description six hours after that. Pretty impressive. On the 24th, Red Hat provided public documentation on this matter; six hours later it was reported that the fix is missing one exploit, so they are working to resolve that as I write this post. Things move fast in the world of open source.

    Impact Statement     from Red Hat, provides direct prose for the next two sections. "Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)"

    Abstract Update
    Red Hat has become aware that the patch for     CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. Red Hat is working on patches in conjunction with the upstream developers as a critical priority.

    How does this impact systems
    This issue affects all products which use the Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.
    All versions prior to those listed as updates for this issue are vulnerable to some degree.

    Test If You Have The Bug
    malchw@san-domino:~/Documents/$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

    Positive Result
    vulnerable
    this is a test

    Negative Result
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    this is a test

    Notations
    1. Your response may be something similar and be just fine; the difference is getting noise versus a clean response as the positive result indicates
    2. Run this check on any Apple Mac product running OS X, as tests show Macs are vulnerable
    3. Anyone running AIX, Solaris, or HP-UX should also check, as Bash is available on those systems

    Addition - 26 September 2014
    4. Update -- IBM released a patch for Protector that addresses Shellshock; verified by a customer of its success


    Mitigation
    Red Hat's Security Blog has a detailed analysis of which programs utilizing Bash can cause issues and why. "Bash specially-crafted environment variables code injection attack"


    Resolution
    Ideally, you need to be running bash-4.1.2-15 with current RHEL versions. Despite the bug's significance, the fix is really easy.
    RHEL: #yum clean all && yum update bash
    On my older RHEL 5 box: # rpm -Uvh bash-3.2-33.el5.1.i386.rpm

    CentOS: #yum clean all && yum update bash
    Ubuntu: $update-manager -or- $sudo apt-get update

    If you know the version number, you can always specify it too (package name example is for RHEL6.5)
    # yum update bash-4.1.2-15.el6_5.1

    -OR-
    Get the update manually and update the RPM -> https://rhn.redhat.com/rhn/errata/details/Packages.do?eid=27888

    Note    : the "clean all" parameter above tells yum to clean all cached data, ensuring that bash can be updated more reliably, particularly with older systems; it may be considered optional on current systems


    Distro Provided Resolution Documents
    CentOS posted a document on the exploit and obtaining fixes through their list serv, "[CentOS] Critical update for bash released today."
    Red Hat's is here: "Resolution for Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) in Red Hat Enterprise Linux"
    Novell/SUSE; bug report with patches here
    Debian
    Ubuntu

    Example Output - CentOS 6.5
    [root@localhost ~]# yum clean all && yum update bash
    Loaded plugins: fastestmirror, refresh-packagekit, security
    Cleaning repos: base extras updates
    Cleaning up Everything
    Cleaning up list of fastest mirrors
    Loaded plugins: fastestmirror, refresh-packagekit, security
    Determining fastest mirrors
    * base: centos.chi.host-engine.com
    * extras: cosmos.cites.illinois.edu
    * updates: mirror.atlanticmetro.net
    base                                                     | 3.7 kB     00:00    
    base/primary_db                                          | 4.4 MB     00:05    
    extras                                                   | 3.3 kB     00:00    
    extras/primary_db                                        |  19 kB     00:00    
    updates                                                  | 3.4 kB     00:00    
    updates/primary_db                                       | 5.3 MB     00:06    
    Setting up Update Process
    Loaded plugins: fastestmirror, refresh-packagekit, security
    Loading mirror speeds from cached hostfile
    * base: mirrors.lga7.us.voxel.net
    * extras: mirror.es.its.nyu.edu
    * updates: centos.aol.com
    Setting up Update Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package bash.x86_64 0:4.1.2-15.el6_4 will be updated
    ---> Package bash.x86_64 0:4.1.2-15.el6_5.1 will be an update
    --> Finished Dependency Resolution

    Dependencies Resolved
    ================================================================================
    Package       Arch            Version                   Repository        Size
    ================================================================================
    Updating:
    bash          x86_64          4.1.2-15.el6_5.1          updates          905 k

    Transaction Summary
    ================================================================================
    Upgrade       1 Package(s)

    Total download size: 905 k
    Is this ok [y/N]: y
    Downloading Packages:
    bash-4.1.2-15.el6_5.1.x86_64.rpm                         | 905 kB     00:00    
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
    Updating   : bash-4.1.2-15.el6_5.1.x86_64                                 1/2
    Cleanup    : bash-4.1.2-15.el6_4.x86_64                                   2/2
    Verifying  : bash-4.1.2-15.el6_5.1.x86_64                                 1/2
    Verifying  : bash-4.1.2-15.el6_4.x86_64                                   2/2

    Updated:
    bash.x86_64 0:4.1.2-15.el6_5.1                                                

    Complete!


    Quick and Dirty Work-around    , provided by Jake DePoy
    # iptables --append INPUT -m string --algo kmp --hex-string '|28 29 20 7B|' --jump DROP

    The Red Hat Customer Portal indicates the risk with the above work-around,
    "Is not a good option because the attacker can easily send one or two characters per packet and avoid this signature easily. However, it may provide an overview of automated attempts at exploiting this vulnerability."

    Powered by IBM Lotus Domino 8 | Lotus User Group | Get Firefox! | This blog is listed on Planet Lotus   IBM Certified

    © 2010 William Malchisky.