Shell shock patch

Similar Messages

• Shell shock - Bash still is not updated

  I purchased my Mac earlier this year (2014.7) and it was originally installed with OS X 10.9
  I have currently formatted my Mac 5 times since I have purchased it due to issues with Bash, Java, Safari, the App store.
  I believe I was victim to Shell shock as my Bash responds to the first vulnerability (First Update dated Sept 26, 2014, Bash version 3.2.53)
  env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  with a vulnerable output.
  this is a test
  I have downloaded the BashUpdateMavericks.pkg which NIST points to and it comes up with an error. I have tried installing the parch on both Mavericks and Yosemite and neither result in a successful instalment.
  Can anyone give any insight on what I should do to patch up bash?

  Apple's article about the BASH issue is here About OS X bash Update 1.0 - Apple Support
  While this vulnerability is generically described as the shellshock aka. BASH issue, there actually several permutations of it. Some fixes only addressed some of those variations. As you will see Apple's article says they address two listed vulnerabilities but actually (as I read it) includes three different fixes.
  The following article https://shellshocker.net seems to list six variations plus the original issue including the two Apple list.
  On that basis one could argue Apple's fix does not address all the possible variations. However based on Apple's fix the result "this is a test" indicates the patch is correctly installed. Based on the shellshocker test all seven out of seven variations are fixed by Apple if you have the Apple patch installed.
  This is the result I get on Mavericks 10.9.5 with Apple's patch applied.
  CVE-2014-6271 (original shellshock): not vulnerable
  CVE-2014-6277 (segfault): not vulnerable
  CVE-2014-6278 (Florian's patch): not vulnerable
  CVE-2014-7169 (taviso bug): not vulnerable
  CVE-2014-7186 (redir_stack bug): not vulnerable
  CVE-2014-7187 (nested loops off by one): not vulnerable
  CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
  With an unpatched copy of Mavericks I get the first four as vulnerable and the last three as not vulnerable suggesting Apple indeed only had to add three fixes. (The last six issues are variations of the first one.)
  CVE-2014-6271 (original shellshock): VULNERABLE
  bash: line 17: 54477 Segmentation fault: 11  shellshocker="() { x() { _;}; x() { _;} <<a; }" bash -c date 2> /dev/null
  CVE-2014-6277 (segfault): VULNERABLE
  CVE-2014-6278 (Florian's patch): VULNERABLE
  CVE-2014-7169 (taviso bug): VULNERABLE
  CVE-2014-7186 (redir_stack bug): not vulnerable
  CVE-2014-7187 (nested loops off by one): not vulnerable
  CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

• Shell Shock Vulnerability

  sh and bash are vulnerable in Solaris 8 & 9
  Are there patches available??

  sh on any Solaris version is NOT bash. So sh is not vulnerable.
  bash might be vulnerable but normally Solaris would execute /bin/sh when performing system(),exec*(),popen() etc.
  So IMHO chance of exploiting shell shock on a normal Solaris system is slim unless the admin has installed software that explicitely calls bash.
  Paul
  PS I am not saying it cannot be vulnerable just that chance are much lower than on most linux distros.

• Any speculation around Bash "Shell shock" impact on VMware products?

  According to VMware investigating bash command injection vulnerability aka Shell Shock (CVE-2014-6271, CVE-2014-7169) | VMware Securi…, VMware is investigating the impacts of the Bash security vulnerability on VMware products.
  What do you think about the possible impact on ESXi hosts? Vulnerable to remote code execution or not?

  Does anybody know if the vShield Manager 5.1.4.1912202 is affected by shellshock? Thanks!!
  While not mentioning vShield Manager in particular, the KB article lists "vCloud Networking and Security 5.x (aka VMware Shield 5.x)" which the vShield Manager virtual appliance is a part of.
  Since the vShield Manager virtual appliance runs a full GNU/Linux OS underneath, I'm 99% certain it has a bash and is thus affected as well, like all the other virtual appliances. In fact, I'm not aware of any VMware virtual appliance that don't have a bash shell (feel free to correct me if I'm wrong).
  It seems like VMware is doing the proper thing and disabling parsing in bash altogether.
  Probably requires a lot more QA testing, but mitigates future parser bugs that are most likely coming.
  http://www.openwall.com/lists/oss-security/2014/09/29/43
  That's quite interesting.
  This raises the general issue of virtual appliances and patching once again. The GNU/Linux OS running in pretty much all appliances is just a customized version of another popular distribution (majorly SuSe in VMware's VAs), so in theory you could just update with the distributions default packages instead of having to wait for vendors to publish it's "certified" updates.
  I completely agree that QA is important and it can be problematic for certain packages like java, webserver or database software and depending libraries. But updates to more "generic" applications like bash or openssl (heartbleed), which only fix a very certain code area, shouldn't cause any issues in the applications.
  Given the severity of bugs like Shellshock and Heartbleed, there might be limited patience in some environments with waiting for vendors re-packing fixes that are released since some time.
  That "updating" a virtual appliance sometimes means "deploy a new VA from scratch and migrate data" doesn't help in that regard either.

• IO Analyzer and Shell Shock

  Do you have any assessment of, or remediation for, the vulnerability of this appliance to the various Shell Shock CVEs?

  Since I/O Analyzer doesn't rely on CGI and our scripts never use environment variables to invoke a script running with a higher privilege, ShellShock has only minimal impact to I/O Analyzer. Having said that, we will patch our base OS and release a patched version by end of this month for best security practice.
  Thanks,
  Chien-Chia

• Can anyone provide me details and fix for Shell Shock vulnerability for Cisco ASA version 5?

  We came to know frm our compliance team that we are running into shell shock vulnerabity therefore wanted to know the fix and document..

  Hi James,
  We do have a PSIRT filed for shell shock vulnerability, please refer details below:
  CSCur00511    ACS evaluation for CVE-2014-6271 and CVE-2014-7169
  https://tools.cisco.com/bugsearch/bug/CSCur00511/?reffering_site=dumpcr
  Here is the fixed code information for individual versions:
  Fixed Code:
  Patch for DDTS CSCur00511 is ready and available on CCO.
  The patch is included in all cumulative patches from version 5.4.0.46.7/5.5.0.46.6/5.6.0.22.1 and later. We recommend that you download the latest cumulative patches.
  Download from: CCO / Support / Download Software http://www.cisco.com/cisco/pub/software/portal/select.html?i=!y
  Select: Security / Identity Management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.4 / 5.4.0.46.0
  Patch filename: 5-4-0-46-.tar.gpg
  Readme and installaion instructions: Acs-5-4-0-46--Readme.txt
  Download from: CCO / Support / Download Software http://www.cisco.com/cisco/pub/software/portal/select.html?i=!y
  Select: Security / Identity Management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.5 / 5.5.0.46
  Patch filename: 5-5-0-46-.tar.gpg
  Readme and installaion instructions: Acs-5-5-0-46--Readme.txt
  Download from: CCO / Support / Download Software http://www.cisco.com/cisco/pub/software/portal/select.html?i=!y
  Select: Security / Identity Management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.6 / 5.6.0.22
  Patch filename: 5-6-0-22-.tar.gpg
  Readme and installaion instructions: Acs-5-6-0-22--Readme.txt
  Download from: CCO / Support / Download Software http://www.cisco.com/cisco/pub/software/portal/select.html?i=!y
  Select: Security / Identity Management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.3 / 5.3.0.40
  Patch filename: 5-3-0-40-.tar.gpg
  Readme and installaion instructions: Acs-53-Readme.txt
  Regards,
  Tushar Bangia
  Please do rate the post if you find it helpful!!

• Query related to Nexus Affected by Shell Shock

  Hi
  Can anyone please tell us if the below Nexus hardware with the respective software (NX-OS) is affected by shell shock ?
  If yes then which is the fixed version of NX-OS for each ?
  Thanks in advance.
  Regards,
  Nasir 

  Ok, so i've change my query to something like this:
  SELECT TOP 100 *
  FROM     OWTR as t1
  INNER join WTR1 as t2 ON (t1.docentry = t2.docentry)
  INNER JOIN OITL AS t3 ON t3.DocEntry = t1.DocEntry
  INNER JOIN ITL1 AS t4 ON t4.LogEntry = t3.LogEntry
  INNER JOIN OSRQ AS t6 ON t6.AbsEntry = t4.MdAbsEntry --AND t6.ItemCode = t4.ItemCode
  INNER JOIN OSRN AS t5 ON t4.ItemCode = t5.ItemCode AND t4.SysNumber = t4.SysNumber AND t5.AbsEntry = t4.MdAbsEntry
  Rob, can you check if make sense this?
  Now, i can't figure it out where is the old Direction field (on SRI1) in this new tables.
  I've check on SAP, and it points to a RITL table/view/internal (???).

• Shell Shock effect

  Hey, my buddy has Soundtrack and so do I and we were wondering if anyone knows how to make a shell shock effect on soundtrack.
  -Jackamo
  P.S. don't know if this is where the topic goes please re-direct if miss placed

  can you describe this effect - not really sure what kinda sound you are asking about - always thought shell shock was a state-of-mind rather than a actual sound?!?
  gavin little
  echolab
  dublin, ireland
  http://www.echo-lab.com/
  http://www.imdb.com/name/nm1962022/

• Shell Shock

  Ok i know shell shock is a term for the state of mind, but in the movies the sound is always muffled. i'm a newbie at soundtrack pro and was wondering how to create the muffled effect,

  hi
  there are many ways to acheive the effect you are talking about. It kind of depends what your perception of shell-shock is (or matching it - if you have ever suffered it!!!)
  one way to do this is to use an EQ to filter out all the high frequencies - this will give the muffled effect you describe. Or use a High Cut filter to do the same.
  there are also creative ways to achieve the disorientation of shell-shock. you could add a very high frequency sound to give a 'ringing in the ears' effect which often occurs after being in close proximity to a blast etc. (a very good example of this is in the recent film "We Own The Night" with joaquin phoenix - the scene where he is in the drug factory)
  I created the sound design for a short film directed by Ruairi Robinson...
  http://www.echo-lab.com/index.php?file=SC
  check the scene at 03:20
  sometimes sound design can be as much about what sounds you remove, rather than being about using great sounds. it's whatever tells the story really.
  hope this is of help to you
  gavin little
  echolab
  dublin, ireland
  http://www.echo-lab.com/
  http://www.imdb.com/name/nm1962022/

• Is this product have shell shock (CVE-2014-6271) vulnerability

  There is world wide shell shock (CVE-2014-6271) vulnerability. Is there any impact on Firefox versions ?If yes, what are the versions effected this ? And what are the plans to deliver fixes for this vulnerabilities from Firefox ?

  Correct, in response to the escalation tag, I confirmed with the security team that this has nothing to do with Firefox.
  It was warned that the bash shellshock was more of a worry. However there [cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568] and [https://www.mozilla.org/security/announce/2014/mfsa2014-73.html]

• What do I need to manage shell shock or bash bug on my airport router

  What do I need to do to manage shell shock or bash bug on my airport router?

  I do have shell access to my apple router..
  When I run command to test for bash vulnerability.
  tcgen4# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  env: bash: No such file or directory
  If I just type bash.
  tcgen4# bash
  bash: not found
  So they have not complied bash into the airport routers.
  Apple routers are not running BASH.. you have nothing to worry about.
  (I have only tested  N wireless models)
  It is probably running the standard busybox shell. The env command shows the shell as SHELL=/bin/sh
  I do not have the latest version AC models.. but it is certainly not part of the earlier N wireless model airports. I would not think the change to the AC model will make any difference and it is still based on NetBSD.
  Thanks to John for sane comments.
  Ignore hyperventilating popular media outlets that thrive by promoting fear and discord with entertainment products arrogantly presented as "news". Learn what real threats actually exist and how to arm yourself against them.
  Do install updates from Apple as they become available. No one knows more about Macs and how to protect them than the company that builds them.
  My Mac is vulnerable.
  When I run the command..
  env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  vulnerable
  this is a test
  The output shows that the Mac is allowing commands via bash.
  In order to access my computer from outside, a person would need passwords or something shared and open.. I have nothing.. and simply being behind a NAT router provides plenty of protection.. in due course when Apple releases the updates.. (I am fully up to date now).. I will apply it. Until then I suspect I will be more likely to die of heart attack than be hacked..

• Pro Tools 9n shell shock.

  It must be a year since I wrote here.
  The release of PT9 is confusing to me. I understand all the options but with PTHD you can use any other boxes such as the RME 800. But why should I do that since I have I already have a PT hardware.
  Actually I use Logic more often now (With am RME 888) and UAD2 plugins. I found this combo a much better deal than the complex PTHD expensive setup. I work as a hobbyist but since I was a pro recording artist in my younger days I find the Logic + UAD very rewarding. SO The PTHD hardware took another hit down yesterday. Which is not a good idea to follow that company IMHO. Logic and PD are just very good now and the UAD plugins are the best. I actually remove one of my accel card to put a UAD card in my MP.
  SO For those of us who do Midi on Logic and Audio on PT. The switch back to Logic is a no brainer for me I AM FEED UP with PT superior attitude and marketing tricks. $349 for an upgrade the list of things they provide for that money is pretty slim 512 tracks OH wow, I need so many tracks to records a power trio. Euphonix compatibility. NO thanks I was NOT planning to buy a $3000 Control surface.
  Native is the way........ Plus Mc DSP (Only TDM) is coming out with a AU version of their famous lines of great plugins (Close to the UAD in quality)
  SO with a new line MAC PRO, LOGIC and the UAD2 plugins a NICE I/O BOX WHAT DO PT HAVE TO SAY ABOUT THAT. NOTHING I HOPE.
  I already invested in an old and defunct system Ensoniq PARIS back in 1998. it was superb. But died. Don't know why. So I repeated this mistake (Total 2) by buying PTHD3, SO now it is time ti switch back to Logic and DP. (did you see DP it is so good looking. Enough. Time to make good music and I dion't need PT for that. It is what 's on the tracks that count. PT is kings on gimick. Once they wanted $600 to repair a card that I sent them working fine just to update for the new Mac Pro i7.
  Finally I was so mad I ended up paying only $150. But it show their true color.
  Sorry for the long post
  Eric d

  The native version is going to be huge for some users but still not interesting for others. I'd say it mainly depends on the sessions, for sessions that are mainly audio PT is nice, but for midi heavy stuff Logic still probably handles it better. And for things like post mixing or intensive video work PT wins hands down although that sort of thing probably requires the $2k add on.

• Pretty good Newegg Shell-Shocker this morning

  Per my usual routine, I was looking at today's Newegg deals. Thefirst onelooks pretty good, if you'reinterested in putting together a heavier desktop to run some VMs in a sandbox.The combo includes:AMD FX-6300 Vishera 6-Core 3.5GHz (4.1GHz Turbo) Socket AM3+ 95W FD6300WMHKBOX Desktop ProcessorGIGABYTE GA-78LMT-USB3 (rev. 6.0) AM3+ AMD 760G + SB710 USB 3.0 HDMI Micro ATX AMD Motherboard (NOTE: up to 32GB of RAM supported)ADATA XPG V1.0 8GB 240-Pin DDR3 SDRAM DDR3 1600 (PC3 12800) Desktop Memory Model AX3U1600W8G9-RR (x1)Mushkin Enhanced ECO2 MKNSSDEC120GB 2.5" 120GB SATA III MLC Internal Solid State Drive (SSD) (NOTE: A little on the small side but definitely a start)Seagate Barracuda ST1000DM003 1TB 7200 RPM 64MB Cache SATA 6.0Gb/s 3.5" Internal Hard Drive Bare DriveLOGISYS Computer CS136BK Micro ATX Computer Case with 480W Power...
  This topic first appeared in the Spiceworks Community

  Per my usual routine, I was looking at today's Newegg deals. Thefirst onelooks pretty good, if you'reinterested in putting together a heavier desktop to run some VMs in a sandbox.The combo includes:AMD FX-6300 Vishera 6-Core 3.5GHz (4.1GHz Turbo) Socket AM3+ 95W FD6300WMHKBOX Desktop ProcessorGIGABYTE GA-78LMT-USB3 (rev. 6.0) AM3+ AMD 760G + SB710 USB 3.0 HDMI Micro ATX AMD Motherboard (NOTE: up to 32GB of RAM supported)ADATA XPG V1.0 8GB 240-Pin DDR3 SDRAM DDR3 1600 (PC3 12800) Desktop Memory Model AX3U1600W8G9-RR (x1)Mushkin Enhanced ECO2 MKNSSDEC120GB 2.5" 120GB SATA III MLC Internal Solid State Drive (SSD) (NOTE: A little on the small side but definitely a start)Seagate Barracuda ST1000DM003 1TB 7200 RPM 64MB Cache SATA 6.0Gb/s 3.5" Internal Hard Drive Bare DriveLOGISYS Computer CS136BK Micro ATX Computer Case with 480W Power...
  This topic first appeared in the Spiceworks Community

• BASH patch issue

  Hello,
  I'm having an issue where my CPU patch sets is failing on my Solaris 10 servers. The patch 126546-07 fails, this patch is for the BASH shell. I used a patch from Oracle to patch the shell shock security vulnerability. I think the patch was not compatible with the main system patches. I would like to remove the patch and install the most current one. I think the patches were IDR patches. I don't know how to remove or find these IDR patches. Can someone give me a hand.

  For SPARC: patchrm IDR151577-01 or patchrm IDR151577-02
  For AMD: patchrm IDR151578-01 or patchrm IDR151578-02
  The -01 or -02 depends on which version of the IDR you installed, I believe there were two revisions. You can check which one you have installed by doing ls -d /var/sadm/patch/IDR*
  Patrick

• CSCur59696 - Vulnerability in IOS.sh and40;shell

  Is IOS version 12.2(58)SE1 affected by this bug, or is it assumed that anything earlier than 15.0(2)SE6 is also affected?

  sh on any Solaris version is NOT bash. So sh is not vulnerable.
  bash might be vulnerable but normally Solaris would execute /bin/sh when performing system(),exec*(),popen() etc.
  So IMHO chance of exploiting shell shock on a normal Solaris system is slim unless the admin has installed software that explicitely calls bash.
  Paul
  PS I am not saying it cannot be vulnerable just that chance are much lower than on most linux distros.