Pretty major Linux exploit with Bash

Red Squirrel · Sep 24, 2014

http://seclists.org/oss-sec/2014/q3/649

Patch up ASAP.

This is probably worse than Heartbleed.

Basically remote code can be executed via various services such as apache due to a bash exploit.

Embargo period was today so this info is fresh and there may be more info that comes out to public. Best to patch before that point.

Chiefcrowe · Sep 24, 2014

Another article on this.. looks major!!!

http://arstechnica.com/security/201...-big-security-hole-on-anything-with-nix-in-it

KillerBee · Sep 24, 2014

Supposedly the first patch is not a complete fix yet

https://access.redhat.com/articles/1200223

see the FAQ at bottom:
I heard that the patch for CVE-2014-6271 is incomplete. How can I mitigate this issue?

Elixer · Sep 25, 2014

KillerBee said:
Supposedly the first patch is not a complete fix yet

https://access.redhat.com/articles/1200223

see the FAQ at bottom:
I heard that the patch for CVE-2014-6271 is incomplete. How can I mitigate this issue?

Well, so far, it only happens with bash, so, if you were to use something else like zsh... that should fix it.

smakme7757 · Sep 25, 2014

Reading various comments on various news sites its funny how people are saying "i thought open source didn't have these problems"

The general public seem to forget that the point of more eyes on the code is to actually find these problems

.

Elixer · Sep 25, 2014

smakme7757 said:
The general public seem to forget that the point of more eyes on the code is to actually find these problems .

Of course, if nobody is looking (who doesn't have nefarious intentions)...things get by.

alkemyst · Sep 25, 2014

Thanks! Sharing with our security team.

lxskllr · Sep 25, 2014

Got the patch in Debian testing today. If you want to see if you're patched or not, paste this in your shell...

Code:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Red Squirrel · Sep 25, 2014

Nice! Was wondering what was a good way to do within the OS. My public facing server is not vulnerable, my home ones are, but not that concerned at this point as they're not public facing. I'll still be doing updates though.

Nithin · Sep 26, 2014

Any information about android? Can't seem to find anything conclusive. Does it ship with bash?

IGemini · Sep 26, 2014

Stock android uses a different shell. Unless you're rooted and have bash explicitly installed, you most likely don't have it but it depends on the developer. I think Cyanogenmod makes use of bash.

Nithin · Sep 26, 2014

IGemini said:
Stock android uses a different shell. Unless you're rooted and have bash explicitly installed, you most likely don't have it but it depends on the developer. I think Cyanogenmod makes use of bash.

Thanks, good to know. It's moto G and nexus 7 so should be stock android.

jhu · Sep 29, 2014

IGemini said:
Stock android uses a different shell. Unless you're rooted and have bash explicitly installed, you most likely don't have it but it depends on the developer. I think Cyanogenmod makes use of bash.

Cyanogenmod uses ash (within busybox). But it appears bash is present /system/xbin

Chiefcrowe · Sep 30, 2014

Just saw this.. it should be pushed out to everyone via the software update soon I assume?

http://www.theverge.com/2014/9/29/6...-patch-to-fix-the-potentially-gnarly-bash-bug

bbhaag · Sep 30, 2014

How do I know if I'm patched up properly? I pasted the command that was in the Ars article into the terminal but the output doesn't read the same as the article suggests it should. Do you guys think I'm ok?

Screenshotfrom2014-09-30134732_zpsbc38bde7.png~original

HOSED · Sep 30, 2014

^^^^ according to this link were are patched - http://www.linuxnews.pro/patch-bash-shell-shock-centos-ubuntu/
Synaptic reports version 4.3-7ubuntu1.4

Chiefcrowe · Sep 30, 2014

Some Interesting background...

http://www.wired.com/2014/09/shellshocked-bash

Red Squirrel · Sep 30, 2014

May want to run another yum/apt update as I noticed there was another patch recently. I think they're looking for more bugs now and it sounds like some of this code is really old and may be buggy.

bbhaag · Sep 30, 2014

HOSED said:
^^^^ according to this link were are patched - http://www.linuxnews.pro/patch-bash-shell-shock-centos-ubuntu/
Synaptic reports version 4.3-7ubuntu1.4

Thanks for the link. Makes me feel a bit better.

Chiefcrowe said:
Some Interesting background...

http://www.wired.com/2014/09/shellshocked-bash

Fasinating article. Makes you wonder just how much code is still out there that has its roots in the early days of modern computing. It also makes you contemplate just how secure open source software is.

Jodell88 · Oct 1, 2014

bbhaag said:
Fasinating article. Makes you wonder just how much code is still out there that has its roots in the early days of modern computing. It also makes you contemplate just how secure open source software is.

Actually, it goes to show how little support some critical software gets. OpenSSL had three guys working on it and bash has one.

MrColin · Oct 1, 2014

bbhaag said:
Fasinating article. Makes you wonder just how much code is still out there that has its roots in the early days of modern computing. It also makes you contemplate just how secure open source software is.

It has already been patched in the main linux distros while Apple is taking their sweet time and letting the fanboy PR engine play it down. Arguably, it isn't as significant on OSX as almost nobody has public facing services macs. standing on the shoulders of giants...

Pretty major Linux exploit with Bash

No Lifer

Diamond Member

Golden Member

Lifer

Golden Member

Lifer

No Lifer

No Lifer

No Lifer

Senior member

Platinum Member

Senior member

Lifer

Diamond Member

Diamond Member

Senior member

Diamond Member

No Lifer

Diamond Member

Diamond Member

Platinum Member