Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Bug In Bash Shell Hits Everything *nix - Vulnerability

Featured Replies

You have to consider that anything which takes user input and defines an environment variable is vulnerable.

 

Then consider how much helpful shell script code people provide here, plus the fact that it runs as root.

We're really already vulnerable to a malicious programmed intent.

 

The issue with this particular situation is that user input from an external program could be coerced into running something that wasn't intended.

 

so in summary.

 

1. If you accept external scripts and run them as root, you are already vulnerable (although you can audit these scripts).

2. Any external input, especially from the internet, makes you more vulnerable 'even if you audit'

3. This is fuel for script kiddes to exploit

4.  Your older hardware devices that run linux or bash of some sort have this bug also.

 

My recommendation would be for limetech to plug it. There's an update on slackware already.

 

For those who want to take matters into their own hands, you can download the slackware bash update and put it in your /extras folder.

 

While this does replace bash, any copies already running in memory will not get replaced.

Only future invocations.

Perhaps we have another vulnerability....

 

http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/

I performed the test on unRAID 6.0-Beta9 as described in the article, and it seems to be affected.

 

Not sure if this a big deal with unRAID and how it is used.

 

If you limit access to the unraid server it should not be a big deal, but any additional plugins/docker apps could make it more vulnerable. 

beta10 has the latest "shellshock" patch incorporated, but, as with heartbleed, it won't be the last one as the vulnerability is completely vetted.  You can follow the discussion here:

http://seclists.org/oss-sec/2014/q3/index.html#654

 

This is mainly an issue only for internet-facing servers.

 

Note:  I will be moving this thread to "Announcements".

 

 

Limetech, I realize that this is probably not something which is a major security item for most of us who are using version 5.0.5 but there does exist some risk. 

 

Are there any plans to release either a version 5.0.6 with just the upgrade Bash shell or the new BASH shell with directions to instructions of how to install  it in existing 5.0.5 installations?

There is now a Bash vulnerability check script, attached.  Copy it to your flash drive, without the .txt extension.

 

On testing it on my current UnRAID v5.0.5, early version of it produced:

root@JacoBack:~# cd /boot

root@JacoBack:/boot# bashcheck

Vulnerable to CVE-2014-6271 (original shellshock)

Vulnerable to CVE-2014-7169 (taviso bug)

./bashcheck: line 18:  4777 Segmentation fault      (core dumped) bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null

Vulnerable to CVE-2014-7186 (redir_stack bug)

Test for CVE-2014-7187 not reliable without address sanitizer

Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug)

root@JacoBack:/boot#

Not a pretty sight.  Perhaps others could test it on the current v6.0-beta9, and the soon coming -beta10.  I do NOT see this as a serious problem though, if you keep your server off the Internet and NEVER try unvetted scripts.

 

Of course, as a DOS/Windows based user like many others here, I have never and will never allow my server to be open to the Internet, unless in the future I load a reputable Linux distro in a VM.  I do not consider myself a sufficiently experienced Linux user.  I also will never download scripts from the Web unless they have been vetted by experienced and trusted UnRAID users.

 

Edit: updated the attached bashcheck script; to be sure of latest, use link in Tom's post, following this one.

Edit2:  gave up trying to attach current bashcheck, as it is currently updated several times a day.  Please go to https://github.com/hannob/bashcheck to download the latest version.

There is now a Bash vulnerability check script, attached.  Copy it to your flash drive, without the .txt extension.

 

Where did you find that?

 

EDIT: nevermind, found it:

https://github.com/hannob/bashcheck

 

On -beta10, which has latest patch produced yesterday it yields:

 

Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug)

fyi, i had to update my bash again today to finally get it to pass that bashcheck script.

fyi, i had to update my bash again today to finally get it to pass that bashcheck script.

 

How are you installing it?  I believe that the old vulnerable version is what is in the 5.0.5 built.  I am reasonably sure you can install a non-vulnerable version of Bash into a current running unRAID system, but that installation will not survive a reboot.  It probably takes one or more line(s) of code in the 'go' script to do that. 

fyi, i had to update my bash again today to finally get it to pass that bashcheck script.

 

How are you installing it?  I believe that the old vulnerable version is what is in the 5.0.5 built.  I am reasonably sure you can install a non-vulnerable version of Bash into a current running unRAID system, but that installation will not survive a reboot.  It probably takes one or more line(s) of code in the 'go' script to do that.

 

I think you can place the fixed version of the Bash Slackware package (tgz / txz) in the /boot/extras directory and it will be installed without any lines added in the go or stop scripts.

fyi, i had to update my bash again today to finally get it to pass that bashcheck script.

 

How are you installing it?  I believe that the old vulnerable version is what is in the 5.0.5 built.  I am reasonably sure you can install a non-vulnerable version of Bash into a current running unRAID system, but that installation will not survive a reboot.  It probably takes one or more line(s) of code in the 'go' script to do that.

 

I think you can place the fixed version of the Bash Slackware package (tgz / txz) in the /boot/extras directory and it will be installed without any lines added in the go or stop scripts.

 

Have you done this?  Do you have a link to the website that contains the updated package that would work in ver5.0.5?

Have you done this?  Do you have a link to the website that contains the updated package that would work in ver5.0.5?

 

You can get latest bash security patches here:http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.559646

 

But do you have your unRaid server directly facing the internet?  If not, do hackers have access to your private LAN where your unRaid server is connected?  If answer to these is Yes, then maybe you need to update.  If No, then no need.  Same with heartbleed.

 

Have you done this?  Do you have a link to the website that contains the updated package that would work in ver5.0.5?

 

You can get latest bash security patches here:http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.559646

 

 

Would this be the correct file and location to get it?      ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bash-4.1.014-i486-1_slack13.1.txz

 

And would one install it by just placing it in the /boot/extras directory and rebooting?

I also would like to know which version is the correct version for 5.05 and how to install it.

I gave up trying to keep my post above updated with the latest version of the bashcheck script.  It is currently being updated several times a day, with significant changes.  For latest copy, go to https://github.com/hannob/bashcheck.

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.