Koozali.org: home of the SME Server

TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-62

Offline mmccarn

  • *
  • 2,626
  • +10/-0
I don't think RedHat is working on this any more:

Statement

Not affected. This issue did not affect the versions of bash as shipped with Red Hat Enterprise Linux 4, 5, 6, and 7 as it was mitigated by the following Red Hat Security Advisories: RHSA-2014:1306, RHSA-2014:1311, RHSA-2014:1312.

The RedHat CVE page includes a link to this post at Full Disclosure:
http://seclists.org/fulldisclosure/2014/Oct/9

Suggesting:
Quote
To test, execute
this command from within a bash shell:

foo='() { echo not patched; }' bash -c foo

If you see "not patched", you probably want upgrade immediately. If
you see "bash: foo: command not found", you're OK.

My SME 8 and SME 9 servers all report 'bash: foo: command not found'.


Offline Mntsnow

  • **
  • 59
  • +0/-0
    • http://www.mntsnow.com
Thank you for the Info....I feel better about it now.
SME-8 64bit
PowerEdge 1950 III
(2) Quad Core Xeon x5460 @ 3.16GHz
24Gb Memory
PERC 5i raid controller
4 x 500Gb SAS 7.2K Drives in Raid 5
Dual 1Gb Nics

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
I don't think RedHat is working on this any more:

CVE-2014-6277 is still an open issue:

https://bugzilla.redhat.com/show_bug.cgi?id=1147189#c7

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Anyways I've looked and I do show the new version of bash (bash-4.1.2-15.el6_5.2) but when check against my server it still shows a vulnerability namely "CVE-2014-6277" as shown from the shellshock test from shellshocker.net.

Please note that it is unwise to run a test like that via the root account. That's giving whoever controlls that website remote control of your server.

This is a better idea:

Code: [Select]
[root@sdfdsf tmp]# chpst -u nobody /bin/bash
bash: /root/.bashrc: Permission denied
bash-4.1$ curl https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
101  2533  101  2533    0     0    748      0  0:00:03  0:00:03 --:--:-- 44438
CVE-2014-6271 (original shellshock): VULNERABLE
bash: line 16: 12730 Segmentation fault      bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): VULNERABLE
CVE-2014-7169 (taviso bug): VULNERABLE
bash: line 49: 12747 Segmentation fault      bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2> /dev/null
CVE-2014-7186 (redir_stack bug): VULNERABLE
bash: line 129: syntax error near `x129'
bash: line 129: `for x129 in ; do :'
CVE-2014-7187 (nested loops off by one): VULNERABLE
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
bash-4.1$ exit
exit
[root@sdfdsf tmp]#


Offline Mntsnow

  • **
  • 59
  • +0/-0
    • http://www.mntsnow.com
Looks like they updated the test script as I am now getting good results across the board

See the final comment discussing the "bug" at https://bugzilla.redhat.com/show_bug.cgi?id=1147189#c22
SME-8 64bit
PowerEdge 1950 III
(2) Quad Core Xeon x5460 @ 3.16GHz
24Gb Memory
PERC 5i raid controller
4 x 500Gb SAS 7.2K Drives in Raid 5
Dual 1Gb Nics