Bash CVE-2014-6271 Vulnerability
Excuse me if this was already posted. I searched title's only for bash and 6271 and didn't see any results.
Cut and paste from CVE-2014-6271 Bash vulnerability allows remote execution arbitrary code:
This morning a flaw was found in Bash with the way it evaluated certain environment variables. Basically an attacker could use this flaw to override or bypass environment restrictions to execute shell commands. As a result various services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.
Details on CVE-2014-6271 from the MITRE CVE dictionary and NIST NVD (page pending creation).
I’m currently patching servers for this. The issue affects ALL products which use Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by applications. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such!
To test if your version of Bash is vulnerable run the following command:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If that command returns the following:
vulnerable this is a test
…then you are using a vulnerable version of Bash and should patch immediately. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Arch Linux CVE-2014-6271 patch:
pacman -Syu
Last edited by hydn (2014-09-28 20:57:41)
On a related note. I post this here as it might be of interest to some members....
I just checked my DD-WRT based router for this vulnerability. It comes stock with Busybox and does not seem to be vulnerable, but... I keep bash on a separate partition which gets mounted on /opt. That bash is vulnerable. Until the DD-WRT project catches up, I suggest anyone using that router firmware consider disabling Bash for the time being and stick with BB.
Also, as another aside, ArchArm has this fix in place now and is safely running on my Raspberry Pi.
I did kill the ssh service on the Windows Box that let me into bash via Cygwin. Cygwin Bash is vulnerable as of when I began this post.
Last edited by ewaller (2014-09-25 18:26:18)
Similar Messages
-
Bash vulnerability bash CVE-2014-6271 on Cisco devices
Hi, all,
Anybody know whether any Cisco devices are vulnerable to recent bash CVE-2014-6271? I am especially concerned about ASA which opens https to the public.
Thanks,Have a look here:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_Bash_09252014.html
and here:
http://tools.cisco.com/security/center/mcontent/CiscoSecurityAdvisory/cisco-sa-20140926-bash
Under affected products. -
Is this product have shell shock (CVE-2014-6271) vulnerability
There is world wide shell shock (CVE-2014-6271) vulnerability. Is there any impact on Firefox versions ?If yes, what are the versions effected this ? And what are the plans to deliver fixes for this vulnerabilities from Firefox ?
Correct, in response to the escalation tag, I confirmed with the security team that this has nothing to do with Firefox.
It was warned that the bash shellshock was more of a worry. However there [cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568] and [https://www.mozilla.org/security/announce/2014/mfsa2014-73.html] -
[CVE-2014-6271] IronPort appliances affected by recent bash vulnerability?
http://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x
Discussion?Cisco has issued an official PSIRT notice for the GNU Bash Environmental Variable Command Injection Vulnerability (CVE-2014-6271), please refer all inquiries to:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
Please refer to the expanded "Affected Products".
The following Cisco products are currently under investigation:
Cable Modems
Cisco CWMS
Network Application, Service, and Acceleration
Cisco ACE GSS 4400 Series Global Site Selector
Cisco ASA
Cisco GSS 4492R Global Site Selector
Network and Content Security Devices
Cisco IronPort Encryption Appliance
Cisco Ironport WSA
Routing and Switching - Enterprise and Service Provider
Cisco ACE Application Control Engine Module for the Cisco Catalyst 6500
Cisco ISM
Cisco NCS6000
Voice and Unified Communications Devices
Cisco Finesse
Cisco MediaSense
Cisco SocialMiner
Cisco Unified Contact Center Express (UCCX)
Products and services listed in the subsections below have had their exposure to this vulnerability confirmed. Additional products will be added to these sections as the investigation continues. -
Hi ,
Nexus 7000 evaluation for CVE-2014-6271 and CVE-2014-7169 , I am referring below link to check for NX OS - n7000-s1-dk9.5.1.3.bin
https://tools.cisco.com/bugsearch/bug/CSCur04856
5.1.3 is not mentioned in the affected list.Need help to know if 5.1 is affected with BASH Vulnerability .
Thanks for help in advance .The concern with the bash shell is that services MAY be setup to run as
users which use those shells, and therefore be able to have things
injected into those shells. Nothing on NetWare uses bash by default,
because NetWare is not anything like Linux/Unix in its use of shells.
Sure, you can load bash for fun and profit on NetWare, but unless you
explicitly request it the bash.nlm file is never used. On NetWare I do
not think it is even possible to have any normal non-Bash environment
variable somehow be exported/inherited into a bash shell, though I've
never tried.
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below... -
CVE-2014-6271 bash vulnerability
more info on this here:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
http://www.reddit.com/r/sysadmin/comments/2hc5rk/cve20146271_remote_code_executi on_through_bash/
I'm assuming Apple will release a security update for this on supported versions of the Mac OS but in the meantime, is there a fix that we can apply? What is an easy way to patch this on older OS versions that Apple is no longer supporting? (perhaps something short of recompiling bash)I had foolishly imagined that the update to "Command Line Tools (OS X 10.9)" released (I thought?) today would fix this. It does not. The referenced fixes do, although, as sjabour said, don't just run those blindly: understand what they do.
As an aside, after patching other Unix systems I care for, I also changed all users' (and, on Linux, root's) shells to something else (I like Zsh, although that may not be right for root in all cases). On Darwin, root's shell is "/bin/sh", but, as with most Linux distributions, that's actually just bash. You absolutely can execute Zsh as sh, and have it behave as an sh-alike, so if you aren't comfortable with patching and rebuilding, but are comfortable with basic SA practice (or you just don't have XCode for whatever reason), you could replace the bash /bin/sh with a hard link to /bin/zsh instead, like this:
% cd /bin
% sudo ln sh sh-real
% sudo ln -f zsh sh
% ls -li sh* zsh
334241 -rwxr-xr-x 2 root wheel 530320 Oct 31 2013 sh
11118 -r-xr-xr-x 1 root wheel 942308 Sep 24 23:53 sh-real
18050387 ---------- 1 root wheel 1228304 Sep 24 23:51 sh.CVE-2014-6271
334241 -rwxr-xr-x 2 root wheel 530320 Oct 31 2013 zsh
% sudo su -
# echo $SHELL
/bin/sh
# /bin/sh --version
zsh 5.0.2 (x86_64-apple-darwin13.0) -
Are you aware about bash security issue CVE-2014-6271 ? Do you have a patch for that? The problem may exist in all Solaris versions.
The official communication is now posted to
https://blogs.oracle.com/security/entry/security_alert_cve_2014_7169 -
Bash bug CVE-2014-6271 patch availability?
Hi everyone, does anyone know if Oracle has released a patch for the bash bug? CVE-2014-6271 link below.
NVD - Detail
I'm looking for a patch on el5uek and el6uek I'm using: 2.6.39-400.126.1.el5uek, 2.6.39-400.21.1.el6uek.x86_64
thanks!Check the following:
[root@vm110 ~]# yum -y install yum-security
[root@vm110 ~]# yum list-security | grep bash
This system is not registered with ULN.
You can use up2date --register to register.
ULN support will be disabled.
ELSA-2014-1293 security bash-3.2-33.el5.1.x86_64
[root@vm110 ~]# yum info-security ELSA-2014-1293
Loaded plugins: rhnplugin, security
This system is not registered with ULN.
You can use up2date --register to register.
ULN support will be disabled.
===============================================================================
bash security update
===============================================================================
Update ID : ELSA-2014-1293
Release : Oracle Linux 5
Type : security
Status : final
Issued : 2014-09-24
CVEs : CVE-2014-6271
Description : [4.1.2-15.1]
: - Check for fishy environment
: Resolves: #1141645
Solution : This update is available via the Unbreakable Linux Network (ULN)
: and the Oracle Public Yum Server. Details on how
: to use ULN or http://public-yum.oracle.com to
: apply this update are available at
: http://linux.oracle.com/applying_updates.html.
Rights : Copyright 2014 Oracle, Inc.
Severity : Critical
info-security done
[root@vm110 ~]# yum -y install bash-3.2-33.el5.1
If you cannot see the above and do not pay for a subscription, make sure you have correct yum repository setup.
See Oracle Public Yum Server for details.
To install:
[root@vm110 ~]# yum -y install bash-3.2-33.el5.1 -
Bash bug CVE-2014-6271 patch availability for OL4?
Hi,
Kindly advise how to download the CVE-2014-7169 CVE-2014-6271 security patches for Oracle Linux 4?
Rgds;
ShirleyExactly the same way as you would for OL5, OL6 or OL7: either connect your machine to the Unbreakable Linux Network or public-yum.oracle.com and use the up2date tool to upgrade bash.
-
Is there a patch out for the bash bug (CVE 2014-6271)?
Is there a patch out for the bash bug (CVE 2014-6271)? I saw one for Oracle Linux, so I hope there's one for Solaris as well.
Hi,
another approach could be to just build a custom bash package yourself using
the available changes published here:
https://java.net/projects/solaris-userland/sources/gate/show/components/bash
That's the build infrastructure and source we use to build the official Solaris 11
IPS packages.
Regards,
Ronald -
Impact of CVE-2014-6271 and CVE-2014-7169 (Shellshock) on NetWare6.5 SP8
Greetings, all...
I see that Novell has a handy security note out regarding CVE-2014-6271:
http://support.novell.com/security/c...2014-6271.html
as it pertains to SUSE and SLE, as well as one for CVE-2014-7169:
http://support.novell.com/security/c...2014-7169.html
Testing in a bash shell on one of my NetWare boxes, I've been pleasantly
surprised, though remain unconvinced that the older bash port is entirely
free of vulnerability, here.
Yes, I do have a couple SSL sites running on NetWare Apache (2.2.27), though
I don't believe that anyone is using mod_cgi or mod_cgid.
(BTW, if anyone needs patched versions of bash 3.0.27 for CentOS 4.8, I have
32 and 64-bit binary rpms on my FTP server:
ftp.2rosenthals.com/pub/CentOS/4.8 .)
Just curious as to what the consensus is regarding NetWare with this thing.
TIA
Lewis
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC www.2rosenthals.com
Need a managed Wi-Fi hotspot? www.hautspot.com
visit my IT blog www.2rosenthals.net/wordpressThe concern with the bash shell is that services MAY be setup to run as
users which use those shells, and therefore be able to have things
injected into those shells. Nothing on NetWare uses bash by default,
because NetWare is not anything like Linux/Unix in its use of shells.
Sure, you can load bash for fun and profit on NetWare, but unless you
explicitly request it the bash.nlm file is never used. On NetWare I do
not think it is even possible to have any normal non-Bash environment
variable somehow be exported/inherited into a bash shell, though I've
never tried.
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below... -
Has anyone applied this linux update to engineered systems? I was looking to download this update from metalink but I could not find it. Any ideas?
If you have many clusters / racks, here's the command block using dcli:
For Compute Nodes
OPTIONAL: dcli -g /home/oracle/dbs_group -l root "rpm -qa| grep exadata-sun-computenode-exact"
dcli -g /home/oracle/dbs_group -l root "rpm -e exadata-sun-computenode-exact"
OPTIONAL: dcli -g /home/oracle/dbs_group -l root "rpm -qa| grep bash"
dcli -g /home/oracle/dbs_group -l root "rpm -Uvh /where/you/downloaded/CVE-2014-6271/bash-3.2-33.el5_11.4.x86_64.rpm"
OPTIONAL: dcli -g /home/oracle/dbs_group -l root "rpm -qa | grep bash”
For Cell Nodes:
dcli -g /opt/oracle.SupportTools/onecommand/cell_group -l root -f /where/you/downloaded/CVE-2014-6271/bash-3.2-33.el5_11.4.x86_64.rpm -d /tmp/
OPTIONAL: dcli -g /opt/oracle.SupportTools/onecommand/cell_group -l "rpm -qa | grep bash”
dcli -g /opt/oracle.SupportTools/onecommand/cell_group -l root "rpm -Uvh --nodeps /tmp/bash-3.2-33.el5_11.4.x86_64.rpm"
dcli -g /opt/oracle.SupportTools/onecommand/cell_group -l root "rm /tmp/bash-3.2-33.el5_11.4.x86_64.rpm"
OPTIONAL: dcli -g /opt/oracle.SupportTools/onecommand/cell_group -l "rpm -qa | grep bash”
+++++++++++++++++++++++
Above takes care of compute and cell nodes.
Now, the IB switches also have bash and Oracle very likely is working for a fix there. -
CVE-2014-6271 and CVE-2014-7169 / Oracle Linux
Hi ,
patches required to resolve the vulnerabilities described in CVE-2014-6271 and CVE-2014-7169 in Oracle linux 5 (x86) is "bash-3.2-33.el5_11.4.x86_64.rpm "
from where i can get this patch, its not availible on support.oracle/patches !!
Thanks,
ThamerYour Oracle Linux system should be configured to automatically install packages either from the Unbreakable Linux Network or public-yum.oracle.com. You might want to ask your Linux sysadmin for assistance if your servers aren't already configured for updates.
You can also check Chapter 1 and Chapter 2 of the Oracle Linux Administrator's Guide for more details on using ULN or public-yum: Oracle® Linux (it's for OL6 but the concepts are the same for OL5). -
Windows Server 2008 CVE-2014-8730 vulnerability
We've received our monthly vulnerability scan results on our production servers running Windows Server 2008 R2.
They are showing vulnerability to TSL POODLE, which is the subject of CVE-2014-8730.
In this article on Qualys, there is mention that Windows Server 2008 is vulnerable but Microsoft have not taken any action yet:
https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
Microsoft - We've seen reports that some older platforms (e.g., Windows 2008) appear vulnerable, but no apparent patterns or reliable information so far.
Is there any update on this issue as it's an exploitable vulnerability we would like to remediate.
Thanks,
Lyndon.Hi Vivian,
The article cited is about a different issue.
In October 2014 there was an SSL v3 POODLE vulnerability, we have resolved this issue by disabling SSL v3 (as recommended).
The article your posted specifically references that issue (the article was published in October 2014).
In December 2014 there was another POODLE vulnerability announced that affected the TLS protocol.
A lot of major vendors have published patches for this issue, but Microsoft are yet do do so (as far as I know).
Hence by original question that has not been answered yet.
Regards,
Lyndon. -
ASR1K GNU Bash Vulnerability Rommon requirement (CVE-2014-6271 and CVE-2014-7169)
Does any one knows which version recommended ROMmon Release by 3.13.X
Because there was no information by release note
Thanks a lot~Your Oracle Linux system should be configured to automatically install packages either from the Unbreakable Linux Network or public-yum.oracle.com. You might want to ask your Linux sysadmin for assistance if your servers aren't already configured for updates.
You can also check Chapter 1 and Chapter 2 of the Oracle Linux Administrator's Guide for more details on using ULN or public-yum: Oracle® Linux (it's for OL6 but the concepts are the same for OL5).
Maybe you are looking for
-
Hai, 1. One of the prerequisite for the delivery group to perform is {It can only contain items that can be atleast partially delivered?) What is the meaning of this prerequisite? we are creating delivery group to ensure that all items should be deli
-
I am needing to transfer ALL content, not just purchased, to new computer and it wants to erase and sync because device is associated with another Library. Please help!
-
Can't import anything into Final Cut 7.0.3
I just recently updated my OS to Snow Leopard (10.6.7) along with Final Cut Pro 7.0.3. and now for some reason Final Cut does not recognize anything, video, audio, stills, nothing. I've found a workaround for video files, save as itself in Quicktime.
-
HT1414 Every time I hook my iPhone 4s up to charge it turns on and off.
I tried hooking it up to my computer so I could restore it and it just keeps turning on and off.
-
I could really use some help. I was working on a school project in AE CS6 when the program crashed when I was importing an Illustrator file. Since then I have not been able to open the file without it crashing. I am running Mac OS X 10.6.8., Intel Co