Topic: TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-62

[ghorst352]

Just seeing if there has been any discussion regarding this vulnerability that just came out.

https://www.us-cert.gov/ncas/alerts/TA14-268A

[DanB35]

You mean, like this topic, posted yesterday?
http://forums.contribs.org/index.php/topic,51137.0.html

There's an update already out for SME 8 and 9.  Install it and you're covered.

[jim7jim]

Can someone tell me the steps to install this? My software installer pane shows the system is up to date and when I do a 'yum install' I get back 'No Packages marked for Update'.

Also, is there a way to get the current version of Bash?

TIA

[guest22]

Also, is there a way to get the current version of Bash?

Maybe you have been caught in a mid air collision of package release, mirror sync and your yum.

Please check the Bash version by 'rpm -q bash' and see in the main post if you have the latest.

[jim7jim]

'rpm -q bash' yields -->   bash-3.2-33.el5_10.4

I saw you mention bash version 4.1.2 in another post but is that for CentOS 6? The version I have above is ok for CentOS 5 (SME 8.1), right?

[guest22]

as per http://lists.centos.org/pipermail/centos-announce/2014-September/020594.html for SME8

[jim7jim]

Thank you very much for the assistance!

[ghorst352]

Is there any reason why using bash --version is different than rpm -q bash command?   I bring this up as an alarm that is on the redhat forums so I would imagine somebody knows about this or perhaps I have been misguided from the forum.  Thanks.

[root@mail ~]# rpm -q bash
bash-3.2-33.el5_10.4
[root@mail ~]# bash --version
GNU bash, version 3.2.25(1)-release (i386-redhat-linux-gnu)

[ghorst352]

Nevermind, this is a noted issue with the command not reflecting the correct version.

https://www.centos.org/forums/viewtopic.php?f=24&t=48648

[soundrolf]

There is a shellscript out to check the bash if vulnerable or not

https://github.com/hannob/bashcheck

Rolf

[devtay]

Thanks for posting this.

There is a shellscript out to check the bash if vulnerable or not

https://github.com/hannob/bashcheck

Rolf

[guest22]

Thanks for posting this.

Why please? What will you do with any outcome?

[devtay]

Not much.  it's more for my peace of mind than anything else. Maybe learn a little more about my server and how to maintain it? I just appreciate that people are willing to help out here.

[Mntsnow]

Replying here as this is where the topic dealing with shellshock for SME9 linked me to...

Anyways I've looked and I do show the new version of bash (bash-4.1.2-15.el6_5.2) but when check against my server it still shows a vulnerability namely "CVE-2014-6277" as shown from the shellshock test from shellshocker.net.  Note: I added the colors below

root@sme-3 ~]# curl https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
101  2533  101  2533    0     0   6305      0 --:--:-- --:--:-- --:--:-- 12728
CVE-2014-6271 (original shellshock): not vulnerable
bash: line 16:  5024 Segmentation fault      bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
[root@sme-3 ~]# exit

What do I need to do to fix that issue or is it something I don't need to worry about?

[Stefano]

you should/could search for CVE-2014-6277 in RH's bugzilla and with google..

we can only wait for upstream bugfix

[mmccarn]

I don't think RedHat is working on this any more:

Statement

Not affected. This issue did not affect the versions of bash as shipped with Red Hat Enterprise Linux 4, 5, 6, and 7 as it was mitigated by the following Red Hat Security Advisories: RHSA-2014:1306, RHSA-2014:1311, RHSA-2014:1312.

The RedHat CVE page includes a link to this post at Full Disclosure:
http://seclists.org/fulldisclosure/2014/Oct/9

Suggesting:

To test, execute
this command from within a bash shell:

foo='() { echo not patched; }' bash -c foo

If you see "not patched", you probably want upgrade immediately. If
you see "bash: foo: command not found", you're OK.

My SME 8 and SME 9 servers all report 'bash: foo: command not found'.

[Mntsnow]

Thank you for the Info....I feel better about it now.

[CharlieBrady]

I don't think RedHat is working on this any more:

CVE-2014-6277 is still an open issue:

https://bugzilla.redhat.com/show_bug.cgi?id=1147189#c7

[CharlieBrady]

Anyways I've looked and I do show the new version of bash (bash-4.1.2-15.el6_5.2) but when check against my server it still shows a vulnerability namely "CVE-2014-6277" as shown from the shellshock test from shellshocker.net.

Please note that it is unwise to run a test like that via the root account. That's giving whoever controlls that website remote control of your server.

This is a better idea:

Code: [Select]

[root@sdfdsf tmp]# chpst -u nobody /bin/bash
bash: /root/.bashrc: Permission denied
bash-4.1$ curl https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
101  2533  101  2533    0     0    748      0  0:00:03  0:00:03 --:--:-- 44438
CVE-2014-6271 (original shellshock): VULNERABLE
bash: line 16: 12730 Segmentation fault      bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): VULNERABLE
CVE-2014-7169 (taviso bug): VULNERABLE
bash: line 49: 12747 Segmentation fault      bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2> /dev/null
CVE-2014-7186 (redir_stack bug): VULNERABLE
bash: line 129: syntax error near `x129'
bash: line 129: `for x129 in ; do :'
CVE-2014-7187 (nested loops off by one): VULNERABLE
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
bash-4.1$ exit
exit
[root@sdfdsf tmp]#



[Mntsnow]

Looks like they updated the test script as I am now getting good results across the board

See the final comment discussing the "bug" at https://bugzilla.redhat.com/show_bug.cgi?id=1147189#c22