Bug In Bash Shell Hits Everything *nix - Vulnerability


mygoogoo

Recommended Posts

You have to consider that anything which takes user input and defines an environment variable is vulnerable.

 

Then consider how much helpful shell script code people provide here, plus the fact that it runs as root.

We're really already vulnerable to a malicious programmed intent.

 

The issue with this particular situation is that user input from an external program could be coerced into running something that wasn't intended.

 

so in summary.

 

1. If you accept external scripts and run them as root, you are already vulnerable (although you can audit these scripts).

2. Any external input, especially from the internet, makes you more vulnerable 'even if you audit'

3. This is fuel for script kiddes to exploit

4.  Your older hardware devices that run linux or bash of some sort have this bug also.

 

My recommendation would be for limetech to plug it. There's an update on slackware already.

 

For those who want to take matters into their own hands, you can download the slackware bash update and put it in your /extras folder.

 

While this does replace bash, any copies already running in memory will not get replaced.

Only future invocations.

Link to comment

Perhaps we have another vulnerability....

 

http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/

I performed the test on unRAID 6.0-Beta9 as described in the article, and it seems to be affected.

 

Not sure if this a big deal with unRAID and how it is used.

 

If you limit access to the unraid server it should not be a big deal, but any additional plugins/docker apps could make it more vulnerable. 

Link to comment

Limetech, I realize that this is probably not something which is a major security item for most of us who are using version 5.0.5 but there does exist some risk. 

 

Are there any plans to release either a version 5.0.6 with just the upgrade Bash shell or the new BASH shell with directions to instructions of how to install  it in existing 5.0.5 installations?

Link to comment

There is now a Bash vulnerability check script, attached.  Copy it to your flash drive, without the .txt extension.

 

On testing it on my current UnRAID v5.0.5, early version of it produced:

root@JacoBack:~# cd /boot

root@JacoBack:/boot# bashcheck

Vulnerable to CVE-2014-6271 (original shellshock)

Vulnerable to CVE-2014-7169 (taviso bug)

./bashcheck: line 18:  4777 Segmentation fault      (core dumped) bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null

Vulnerable to CVE-2014-7186 (redir_stack bug)

Test for CVE-2014-7187 not reliable without address sanitizer

Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug)

root@JacoBack:/boot#

Not a pretty sight.  Perhaps others could test it on the current v6.0-beta9, and the soon coming -beta10.  I do NOT see this as a serious problem though, if you keep your server off the Internet and NEVER try unvetted scripts.

 

Of course, as a DOS/Windows based user like many others here, I have never and will never allow my server to be open to the Internet, unless in the future I load a reputable Linux distro in a VM.  I do not consider myself a sufficiently experienced Linux user.  I also will never download scripts from the Web unless they have been vetted by experienced and trusted UnRAID users.

 

Edit: updated the attached bashcheck script; to be sure of latest, use link in Tom's post, following this one.

Edit2:  gave up trying to attach current bashcheck, as it is currently updated several times a day.  Please go to https://github.com/hannob/bashcheck to download the latest version.

Link to comment

There is now a Bash vulnerability check script, attached.  Copy it to your flash drive, without the .txt extension.

 

Where did you find that?

 

EDIT: nevermind, found it:

https://github.com/hannob/bashcheck

 

On -beta10, which has latest patch produced yesterday it yields:

 

Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug)

Link to comment

fyi, i had to update my bash again today to finally get it to pass that bashcheck script.

 

How are you installing it?  I believe that the old vulnerable version is what is in the 5.0.5 built.  I am reasonably sure you can install a non-vulnerable version of Bash into a current running unRAID system, but that installation will not survive a reboot.  It probably takes one or more line(s) of code in the 'go' script to do that. 

Link to comment

fyi, i had to update my bash again today to finally get it to pass that bashcheck script.

 

How are you installing it?  I believe that the old vulnerable version is what is in the 5.0.5 built.  I am reasonably sure you can install a non-vulnerable version of Bash into a current running unRAID system, but that installation will not survive a reboot.  It probably takes one or more line(s) of code in the 'go' script to do that.

 

I think you can place the fixed version of the Bash Slackware package (tgz / txz) in the /boot/extras directory and it will be installed without any lines added in the go or stop scripts.

Link to comment

fyi, i had to update my bash again today to finally get it to pass that bashcheck script.

 

How are you installing it?  I believe that the old vulnerable version is what is in the 5.0.5 built.  I am reasonably sure you can install a non-vulnerable version of Bash into a current running unRAID system, but that installation will not survive a reboot.  It probably takes one or more line(s) of code in the 'go' script to do that.

 

I think you can place the fixed version of the Bash Slackware package (tgz / txz) in the /boot/extras directory and it will be installed without any lines added in the go or stop scripts.

 

Have you done this?  Do you have a link to the website that contains the updated package that would work in ver5.0.5?

Link to comment

Have you done this?  Do you have a link to the website that contains the updated package that would work in ver5.0.5?

 

You can get latest bash security patches here:http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.559646

 

But do you have your unRaid server directly facing the internet?  If not, do hackers have access to your private LAN where your unRaid server is connected?  If answer to these is Yes, then maybe you need to update.  If No, then no need.  Same with heartbleed.

 

Link to comment

Have you done this?  Do you have a link to the website that contains the updated package that would work in ver5.0.5?

 

You can get latest bash security patches here:http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.559646

 

 

Would this be the correct file and location to get it?      ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bash-4.1.014-i486-1_slack13.1.txz

 

And would one install it by just placing it in the /boot/extras directory and rebooting?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.