September 25, 201411 yr Perhaps we have another vulnerability.... http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ I performed the test on unRAID 6.0-Beta9 as described in the article, and it seems to be affected. Not sure if this a big deal with unRAID and how it is used.
September 25, 201411 yr You have to consider that anything which takes user input and defines an environment variable is vulnerable. Then consider how much helpful shell script code people provide here, plus the fact that it runs as root. We're really already vulnerable to a malicious programmed intent. The issue with this particular situation is that user input from an external program could be coerced into running something that wasn't intended. so in summary. 1. If you accept external scripts and run them as root, you are already vulnerable (although you can audit these scripts). 2. Any external input, especially from the internet, makes you more vulnerable 'even if you audit' 3. This is fuel for script kiddes to exploit 4. Your older hardware devices that run linux or bash of some sort have this bug also. My recommendation would be for limetech to plug it. There's an update on slackware already. For those who want to take matters into their own hands, you can download the slackware bash update and put it in your /extras folder. While this does replace bash, any copies already running in memory will not get replaced. Only future invocations.
September 25, 201411 yr Perhaps we have another vulnerability.... http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ I performed the test on unRAID 6.0-Beta9 as described in the article, and it seems to be affected. Not sure if this a big deal with unRAID and how it is used. If you limit access to the unraid server it should not be a big deal, but any additional plugins/docker apps could make it more vulnerable.
September 25, 201411 yr beta10 has the latest "shellshock" patch incorporated, but, as with heartbleed, it won't be the last one as the vulnerability is completely vetted. You can follow the discussion here: http://seclists.org/oss-sec/2014/q3/index.html#654 This is mainly an issue only for internet-facing servers. Note: I will be moving this thread to "Announcements".
September 25, 201411 yr Limetech, I realize that this is probably not something which is a major security item for most of us who are using version 5.0.5 but there does exist some risk. Are there any plans to release either a version 5.0.6 with just the upgrade Bash shell or the new BASH shell with directions to instructions of how to install it in existing 5.0.5 installations?
September 28, 201411 yr There is now a Bash vulnerability check script, attached. Copy it to your flash drive, without the .txt extension. On testing it on my current UnRAID v5.0.5, early version of it produced: root@JacoBack:~# cd /boot root@JacoBack:/boot# bashcheck Vulnerable to CVE-2014-6271 (original shellshock) Vulnerable to CVE-2014-7169 (taviso bug) ./bashcheck: line 18: 4777 Segmentation fault (core dumped) bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug) root@JacoBack:/boot# Not a pretty sight. Perhaps others could test it on the current v6.0-beta9, and the soon coming -beta10. I do NOT see this as a serious problem though, if you keep your server off the Internet and NEVER try unvetted scripts. Of course, as a DOS/Windows based user like many others here, I have never and will never allow my server to be open to the Internet, unless in the future I load a reputable Linux distro in a VM. I do not consider myself a sufficiently experienced Linux user. I also will never download scripts from the Web unless they have been vetted by experienced and trusted UnRAID users. Edit: updated the attached bashcheck script; to be sure of latest, use link in Tom's post, following this one. Edit2: gave up trying to attach current bashcheck, as it is currently updated several times a day. Please go to https://github.com/hannob/bashcheck to download the latest version.
September 28, 201411 yr There is now a Bash vulnerability check script, attached. Copy it to your flash drive, without the .txt extension. Where did you find that? EDIT: nevermind, found it: https://github.com/hannob/bashcheck On -beta10, which has latest patch produced yesterday it yields: Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug)
September 29, 201411 yr fyi, i had to update my bash again today to finally get it to pass that bashcheck script.
September 29, 201411 yr fyi, i had to update my bash again today to finally get it to pass that bashcheck script. How are you installing it? I believe that the old vulnerable version is what is in the 5.0.5 built. I am reasonably sure you can install a non-vulnerable version of Bash into a current running unRAID system, but that installation will not survive a reboot. It probably takes one or more line(s) of code in the 'go' script to do that.
September 29, 201411 yr fyi, i had to update my bash again today to finally get it to pass that bashcheck script. How are you installing it? I believe that the old vulnerable version is what is in the 5.0.5 built. I am reasonably sure you can install a non-vulnerable version of Bash into a current running unRAID system, but that installation will not survive a reboot. It probably takes one or more line(s) of code in the 'go' script to do that. I think you can place the fixed version of the Bash Slackware package (tgz / txz) in the /boot/extras directory and it will be installed without any lines added in the go or stop scripts.
September 29, 201411 yr fyi, i had to update my bash again today to finally get it to pass that bashcheck script. How are you installing it? I believe that the old vulnerable version is what is in the 5.0.5 built. I am reasonably sure you can install a non-vulnerable version of Bash into a current running unRAID system, but that installation will not survive a reboot. It probably takes one or more line(s) of code in the 'go' script to do that. I think you can place the fixed version of the Bash Slackware package (tgz / txz) in the /boot/extras directory and it will be installed without any lines added in the go or stop scripts. Have you done this? Do you have a link to the website that contains the updated package that would work in ver5.0.5?
September 29, 201411 yr Have you done this? Do you have a link to the website that contains the updated package that would work in ver5.0.5? You can get latest bash security patches here:http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.559646 But do you have your unRaid server directly facing the internet? If not, do hackers have access to your private LAN where your unRaid server is connected? If answer to these is Yes, then maybe you need to update. If No, then no need. Same with heartbleed.
September 29, 201411 yr Have you done this? Do you have a link to the website that contains the updated package that would work in ver5.0.5? You can get latest bash security patches here:http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.559646 Would this be the correct file and location to get it? ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bash-4.1.014-i486-1_slack13.1.txz And would one install it by just placing it in the /boot/extras directory and rebooting?
September 29, 201411 yr I also would like to know which version is the correct version for 5.05 and how to install it.
October 2, 201411 yr I gave up trying to keep my post above updated with the latest version of the bashcheck script. It is currently being updated several times a day, with significant changes. For latest copy, go to https://github.com/hannob/bashcheck.
October 4, 201411 yr can just grab latest by doing: wget "https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck"
Archived
This topic is now archived and is closed to further replies.