Shellshock Bash Vulnerability

[JM Aggie08]

Any sysadmins in this subforum? How's everyone dealing with the most recent big scare?

 

[HOSED]

there is a discussion started here with some informative links http://forums.anandtech.com/showthread.php?t=2401216

 

[Scarpozzi]

I've not been all that worried about it because of the kind of exploit it is. If you're pretty locked down through port access and don't have a lot of remote users, you are probably ok. I think the fear is that some applications use bash to execute code on the server. If you lock down the file system that doesn't keep a hacker from changing environment variables (the exploit). That still doesn't allow them to necessarily write to the file system.

I patched about 40 systems last week and again over the weekend (normal patching schedule luckily came up this weekend anyhow)...

Just keep a watchful eye on any systems that grant web services bash privileges. There were a bunch of these coded in the early 2000s to move companies off old mainframes. Other than that, I'm not sure what applications would have those kinds of rights.

 

[LCTSI]

so far every time this comes up I just run

ansible all --sudo -m yum -a 'name=bash state=latest'

and then go expense food at Denny's.

 

[Red Squirrel]

Not sure what the above command does but yum update worked for me, may as well do a full system update at the same time. Fortunately distros were pretty quick to issue the patch and even older distros like CentOS 5 got it.

Mmm Denny's. Been a while since I've been to one. They have em down south and often are near the hotel.

 

[KillerBee]

So the bash bug has really has turned into to the gift that keeps on giving

They are up to 6 vulnerabilities:
CVE-2014-6271
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
CVE-2014-6277
CVE-2014-6278

more redhat specific info here:
https://access.redhat.com/articles/1200223

Chet Ramey has put out new patches for the latest
http://seclists.org/oss-sec/2014/q4/17

good reading:
http://lcamtuf.blogspot.de/2014/10/bash-bug-how-we-finally-cracked.html

 

[Jodell88]

So the bash bug has really has turned into to the gift that keeps on giving

They are up to 6 vulnerabilities:
CVE-2014-6271
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
CVE-2014-6277
CVE-2014-6278

more redhat specific info here:
https://access.redhat.com/articles/1200223

Chet Ramey has put out new patches for the latest
http://seclists.org/oss-sec/2014/q4/17

good reading:
http://lcamtuf.blogspot.de/2014/10/bash-bug-how-we-finally-cracked.html

This is a good thing IMO. Perhaps a security audit is in order, but the amount of eyes on the code right now is a good thing. 🙂

 

[KillerBee]

This is a good thing IMO. Perhaps a security audit is in order, but the amount of eyes on the code right now is a good thing. 🙂

I agree with that 🙂

Though I'm sure there are plenty of systems holding all kinds of private data out there now - which don't get regularly patched.

 

[JM Aggie08]

We have a lot of heritage OS in our environment for various business needs...it's been an absolute fucking nightmare..

 

[LCTSI]

Not sure what the above command does but yum update worked for me, may as well do a full system update at the same time. Fortunately distros were pretty quick to issue the patch and even older distros like CentOS 5 got it.

Mmm Denny's. Been a while since I've been to one. They have em down south and often are near the hotel.

It's an automation command to yum update bash on all servers known to ansible. That's about 3200 linux servers for me.

 

[KillerBee]

It's an automation command to yum update bash on all servers known to ansible. That's about 3200 linux servers for me.

3200! - That is impressive
What else do you use to manage that many servers?

 

[LCTSI]

3200! - That is impressive
What else do you use to manage that many servers?

alcohol, for/while loops, or ignoring them until they go away. 😀