Red Hat Bash Code Injection Vulnerabilty (CVE-2014-6271)

If anyone use Debian 6 (squeeze). Official support ends 2014-05-04, but the decide to support it to February 2016:
https://lists.debian.org/debian-security-announce/2014/msg00082.html

If you want update bash on Debian 6 you need to add Long Term Support Security repo:

edit:
Code: 
/etc/apt/sources.list
and add:
Code: 
#LTS security
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

then:

Code: 
apt-get update && apt-get install bash

i suggest next:
Code: 
apt-get dist-upgrade
shutdown -r now
 
Daggerka said:
If anyone use Debian 6 (squeeze). Official support ends 2014-05-04, but the decide to support it to February 2016:
https://lists.debian.org/debian-security-announce/2014/msg00082.html

If you want update bash on Debian 6 you need to add Long Term Support Security repo:

edit:
Code: 
/etc/apt/sources.list
and add:
Code: 
#LTS security
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

then:

Code: 
apt-get update && apt-get install bash

i suggest next:
Code: 
apt-get dist-upgrade
shutdown -r now
Click to expand...

I had already linked to https://wiki.debian.org/LTS/Using on the previous page; following the steps on that link will update every package from LTS including bash.

Also dist-upgrade should be handled with caution, it will convert to Debian 7, additional steps may be required e.g. http://www.pontikis.net/blog/debian-upgrade-squeeze-to-wheezy. You should backup and read into the process carefully and not just copy paste these commands blindly.
 
I missing your prevouse post. Sorry for duplicate.

dist-upgrade - these upgrade squeeze to wheezy only when you repleace squuze repo to wheezy repo.

From my internal wiki:
dist-upgrade

In addition to installing the latest version of the package also deals with relationships (relationships between packages installed on your system). Removes obsolete packages that are no longer needed - you do not do the upgrade. This function is required during the upgrade system to a newer version in order to avoid "mixing" packages. However, the updated release your distribution will not be upgraded if you don't put /etc/apt/sources.list repositories to a newer version, so you can safely this command to update the current version of the system (installed packages).
Click to expand...

Thanks for link!
 
Daggerka said:
I missing your prevouse post. Sorry for duplicate.

dist-upgrade - these upgrade squeeze to wheezy only when you repleace squuze repo to wheezy repo.

From my internal wiki:


Thanks for link!
Click to expand...

You're right about dist-upgrade, my bad!
 
yes, update again for each servers, VPS...

Do you think it needs reboot (I am not sure)...
 
I suggest reboot VPS with DirectAdmin - it's only ~2 sec offline.

If you can't reboot - just reload all services and check again:

Code: 
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
 
No reboot is necessary as the process will be called when trying to be exploited. This has been confirmed by multiple sources.

Worth noting my Apache log is already showing IP's trying to exploit it trying to open random cgi scripts on the cgi-bin folder.
 
This morning I checked and all my CentOS 6.x machines had properly updated automatically, because I have yum set for automated updates.

One of my correspondents sent me this help for admins who use RHEL 4, which is no longer covered by updates through yum:

http://serverfault.com/questions/63...vulnerabilities-in-cve-2014-6271-and-cve-2014

From this page my correspondent found the Oracle patch worked best (Oracle is built from RHEL source), but he writes to be sure to use the rpm marked as 3.0-27.0.2.el4.i386.rpm

Note I haven't tried these, I just pass them on.

Jeff
 
After yum update bash I get

Code: 
printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/~}"

after every command I use on the command line

It looks like there is something wrong...
Anyone?
 
zEitEr said:
That's history of commmands you see when work with mc (midnight commander)?
Click to expand...

I never used midnight commander.

This is what I get

[root@server02 ~]# php -v
php -v
PHP 5.5.17 (cli) (built: Sep 22 2014 23:35:19)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies
with XCache v3.1.0, Copyright (c) 2005-2013, by mOo
with XCache Cacher v3.1.0, Copyright (c) 2005-2013, by mOo
printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/~}"
Click to expand...

I see the red line after everything.
 
Something must be wrong with your settings for bash prompt. You need to check /etc/profile, ~/.bashrc
 
zEitEr said:
Something must be wrong with your settings for bash prompt. You need to check /etc/profile, ~/.bashrc
Click to expand...

That file didn't change since 2/10/13

.bashrc
Code: 
# /etc/bashrc

# System wide functions and aliases
# Environment stuff goes in /etc/profile

# It's NOT a good idea to change this file unless you know what you
# are doing. It's much better to create a custom.sh shell script in
# /etc/profile.d/ to make custom changes to your environment, as this
# will prevent the need for merging in future updates.

# are we an interactive shell?
if [ "$PS1" ]; then
  if [ -z "$PROMPT_COMMAND" ]; then
    case $TERM in
    xterm*)
        if [ -e /etc/sysconfig/bash-prompt-xterm ]; then
            PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm
        else
            PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/~}"'
        fi
        ;;
    screen)
        if [ -e /etc/sysconfig/bash-prompt-screen ]; then
            PROMPT_COMMAND=/etc/sysconfig/bash-prompt-screen
        else
            PROMPT_COMMAND='printf "\033]0;%s@%s:%s\033\\" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/~}"'
        fi
        ;;
    *)
        [ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default
        ;;
      esac
  fi
  # Turn on checkwinsize
  shopt -s checkwinsize
  [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ "
  # You might want to have e.g. tty in prompt (e.g. more virtual machines)
  # and console windows
  # If you want to do so, just add e.g.
  # if [ "$PS1" ]; then
  #   PS1="[\u@\h:\l \W]\\$ "
  # fi
  # to your custom modification shell script in /etc/profile.d/ directory
fi

if ! shopt -q login_shell ; then # We're not a login shell
    # Need to redefine pathmunge, it get's undefined at the end of /etc/profile
    pathmunge () {
        case ":${PATH}:" in
            *:"$1":*)
                ;;
            *)
                if [ "$2" = "after" ] ; then
                    PATH=$PATH:$1
                else
                    PATH=$1:$PATH
                fi
        esac
    }

    # By default, we want umask to get set. This sets it for non-login shell.
    # Current threshold for system reserved uid/gids is 200
    # You could check uidgid reservation validity in
    # /usr/share/doc/setup-*/uidgid file
    if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
       umask 002
    else
       umask 022
    fi

    # Only display echos from profile.d scripts if we are no login shell
    # and interactive - otherwise just process them to set envvars
    for i in /etc/profile.d/*.sh; do
        if [ -r "$i" ]; then
            if [ "$PS1" ]; then
                . "$i"
            else
                . "$i" >/dev/null 2>&1
            fi
        fi
    done

    unset i
    unset pathmunge
fi
# vim:ts=4:sw=4

Is there anything else I can check?
 
zEitEr said:
You posted here content of /etc/bashrc but not ~/.bashrc, don't you?
Click to expand...

Oops :eek:

/etc/profile, ~/.bashrc doesn't exist or is empty.
But I think there is a symbolic link to /root/.bashrc

/root/.bashrc
Code: 
# .bashrc

# User specific aliases and functions

alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'

# Source global definitions
if [ -f /etc/bashrc ]; then
        . /etc/bashrc
fi

When I Do "nano /etc/profile, ~/.bashrc" The file is empty.
When I exit (Ctrl + X) it shows me /root/.bashrc
 
Sorry, no more ideas. Probably your user's enviroment should be checked as well.
 
A new patch has been released yesterday on 02-Oct-2014:

Code: 
[COLOR=#000000]Bash-Release:    4.3[/COLOR]Patch-ID:    bash43-029

Bug-Reported-by:    Michal Zalewski <[email protected]>
Bug-Reference-ID:
Bug-Reference-URL:

Bug-Description:

When bash is parsing a function definition that contains a here-document
delimited by end-of-file (or end-of-string), it leaves the closing delimiter
uninitialized.  This can result in an invalid memory access when the parsed
function is later copied.
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-029


and on 01-Oct-2014:
Code: 
Bash-Release:    4.3
Patch-ID:    bash43-028

Bug-Reported-by:    Florian Weimer <[email protected]>
Bug-Reference-ID:
Bug-Reference-URL:

Bug-Description:

There are two local buffer overflows in parse.y that can cause the shell
to dump core when given many here-documents attached to a single command
or many nested loops.


http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-028

CentOS and Debian do not seem to have a new patched bash version as of yet. Probably they aren't that critical (?).
 
zEitEr said:
Sorry, no more ideas. Probably your user's enviroment should be checked as well.
Click to expand...

Thanks :)

I just found out how to fix it.

This did the trick.

Code: 
unset PROMPT_COMMAND; PS1='\w> '
 
You must log in or register to reply here.
Back
Top