Linux bash exploit discovered

[mouser]

"Akamai has validated the existence of the vulnerability in bash, and confirmed its presence in bash for an extended period of time. We have also verified that this vulnerability is exposed in ssh---but only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on a number of factors; including calling other applications through a shell, or evaluating sections of code through a shell.

There are several functional mitigations for this vulnerability: upgrading to a new version of bash, replacing bash with an alternate shell, limiting access to vulnerable services, or filtering inputs to vulnerable services. Akamai has created a WAF rule to filter this exploit; see "For Web Applications" below for details."

http://www.csoonline...h-cve-2014-6271.html

[Gothi[c]]

The RH article has a nice summary of possible attack vectors: https://access.redha...com/articles/1200223

[Jibz]

That's awful. Looks a bit like a bash version of http://xkcd.com/327/

[TaoPhoenix]

Also awful is "and confirmed its presence in bash for an extended period of time".

So this is roughly a second time that I have heard of, (I'm sure there are more) where flaws in otherwise trusted non-Windows Non-Adobe/Java stuff has been sitting on a vulnerability for who knows how long, and the "good guys" only found it in 2014. I mean, I know zero about Linux, but isn't bash one of those "deep core" little items that's been around forever?

(Glancing at the article for snips)
"...has been given the name Shellshock by some"

"this is the sort of exploit that will be lurking around in all various and sundry sorts of software, both local and remote. It's quite common for embedded devices with web-enabled front-ends to shuttle user input back and forth via bash shells, for example -- routers, SCADA/ICS devices, medical equipment, and all sorts of webified gadgets are likely to be exposed."

It's like a war now. "My heart is bleeding, and now I have shellshock."

Meanwhile in a tangentially related article I don't have the link to this minute, someone reported that hackers want medical data even more than credit cards now, and it remarked that hospitals don't always have top-notch IT departments. So if someone gets into some medical equipment, that could cause a mess!!
Robin Cook, where are you?

[Renegade]

So this is roughly a second time that I have heard of, (I'm sure there are more) where flaws in otherwise trusted non-Windows Non-Adobe/Java stuff has been sitting on a vulnerability for who knows how long, and the "good guys" only found it in 2014. I mean, I know zero about Linux, but isn't bash one of those "deep core" little items that's been around forever?

-TaoPhoenix (September 25, 2014, 06:40 AM)

God only knows how many of these are floating out there.

I worked on bada for a while, and I was pretty surprised when it was shelved for Tizen. It had an excellent security model. Pretty much everything was entirely encapsulated to an insane degree.

For example, you couldn't really ever do this:

myVar = SomeFunction(input1, input2);

Instead, you had to do this:

Error myError = SomeFunction(input1, input2, out myVar);

Functions returned only error values, so if things go smooth, you might have "myError" equal to "Error.OK" or something like that.

It allowed for functions to operate as black boxes with error checking already incorporated.

A lot of functions returned booleans, but whatever - same diff - errors are caught.

I checked the exploit above, and it seems rather odd that it was never caught before. One has to wonder who the committers are for some of these.

[Tuxman]

So this is roughly a second time that I have heard of, (I'm sure there are more) where flaws in otherwise trusted non-Windows Non-Adobe/Java stuff has been sitting on a vulnerability for who knows how long, and the "good guys" only found it in 2014.

-TaoPhoenix (September 25, 2014, 06:40 AM)

Don't trust Linux.

While Linux would work without bash, the GNU/Linux ecosystem mostly got down to it. Here we go with another example of Linux's bad design: As everything is third-party software, no one triggers a decent QA.

[Renegade]

Don't trust Linux.

While Linux would work without bash, the GNU/Linux ecosystem mostly got down to it. Here we go with another example of Linux's bad design: As everything is third-party software, no one triggers a decent QA.

-Tuxman (September 26, 2014, 03:37 AM)

What would you recommend as a day-to-day usable OS? FreeBSD? OpenBSD? Other?

[Tuxman]

Depends on what you do day-by-day. My day-by-day systems are Windows and FreeBSD, randomly supported by OpenBSD. All of them do different things for me.

[40hz]

You can run a quick test to see if your version of bash has the vulnerability.

Enter the following in your terminal (sudo not necessary):

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the vulnerability is present you will receive this output:

vulnerable
 this is a test

If not, it will display:

bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

With thanks to Ars Technica. More info on this vulnerability test and what it means can be found in this article.

Several major distros already have the first pass patches uploaded to their repositories so the normal software updates should handle getting the patch to you. Check with your distro website for more info.
 

[mouser]

ps. DonationCoder main and member servers were both patched to protect against the exploit (thanks DC member Gothic!)

[wraith808]

A note... git bash is vulnerable

[Renegade]

A note... git bash is vulnerable

-wraith808 (September 26, 2014, 10:39 AM)

Shhhh! That's my Viagra email server!!!

[Ath]

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

-40hz (September 26, 2014, 08:42 AM)

That's the simple test, but this one still shows the date/time of execution after patch 1 is applied:

[Select]

rm -f echo && env -i  X='() { (a)=>\' bash -c 'echo date'; cat echo

After applying the second patch it should just do nothing, afaik.
Oh, run it in an empty directory, just to be safe, it will delete, and can create, a file called echo

[Stoic Joker]

This vulnerability effects Mac as well.

[ewemoa]

IIUC, there are at least two more issues that have surfaced from investigating the original issue [1].  The following mentions CVE ids for these (handy to distinguish among issues):

  http://article.gmane.org/gmane.comp.security.oss.general/13937


On a side note, looks like there's an FF issue that surfaced in a similar time frame...

Update: didn't realize Chrome appears to be affected too.

1

...who knows how many more may be discovered...and which of those will remain unreported...

[rgdot]

not really an over reaction but it may be seen as one

Soon there will be a "recommendation" to turn off all devices and just go out and talk personally? I don't think I am exaggerating when I say we are at a tipping point or cross roads and not just technologically speaking. A war there, a hack there, a criminal over there, a new enemy over in the other place, etc.

At some point humanity should decide if it wants to try a future ala Star Trek or just give up and just nuke each other to oblivion

[Deozaan]

This is my primary source for information about the bash exploit:

Everything you need to know about the Shellshock Bash bug

As I understand it, it's not just Linux. It's pretty much anything with bash. This includes Unix systems, OSX, Linux, Internet of Things (toasters, thermostats, lightbulbs), routers, and even some tools for Windows that include bash.

It's a pretty severe problem. )c:

[Tuxman]

Unix doesn't default to bash. Unix rocks.

[ewemoa]

May be there will be more movement away from using Bash as the default system shell for systems that currently use it.

IIRC, sometime ago Debian switched away from bash as the default system shell to using dash.

[Tuxman]

Not in Linuxland. The bash is the only major GPL'ed shell.

[ewemoa]

I'm not sure what the current status is, but FWIW at some point Ubuntu was using dash as its default system shell:

  https://wiki.ubuntu.com/DashAsBinSh

[Tuxman]

indeed, it is still the default login shell

 

[ewemoa]

According to Gentoo's wiki:

As some sh scripts may have bashisms in them, it is not guaranteed to work out-of-the-box on Gentoo as /bin/sh replacement.

via:  http://wiki.gentoo.org/wiki/Dash

May be if that's still the case, there will be more incentive to make some appropriate changes...

OTOH, there's this:

  https://bugs.gentoo.org/45735?id=45735

with the status RESOLVED CANTFIX

[ewemoa]

I just checked a relatively recent version of Linux Mint (17 I think), and /bin/sh symlinked to dash, so my guess is that Ubuntu still uses dash as the system shell.

[ewemoa]

Arch seems to have taken the position (at least at some point) of not switching:

We are using bash arrays and lots of other bash features, removing them now is simply impossible. bash it is, and will be.

via https://bugs.archlinux.org/task/19551