Red Hat Bash Code Injection Vulnerabilty (CVE-2014-6271)

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,113
Location
California
I'm hoping no one will get too angry at me; I felt that Official DirectAdmin Announcements would be the best place to post this.

I got it today in an email from Red Hat. It appears a fix may already be available in CentOS yum repository (and of course in the yum repository as well.)
Subject: [Technical Security Alert] Bash Code Injection Vulnerabilty (CVE-2014-6271)
Date: 24 Sep 2014 15:38:12 -0400
From: Red Hat <[email protected]>

Red Hat Product Security has been made aware of a vulnerability affecting all versions of the bash package shipped with Red Hat Enterprise Linux.
View in a Web Browser <http://app.engage.redhat.com/e/es.aspx?s=1795&e=454771&elq=abecf6ec5100494893512a8544cce055>
Red Hat <http://app.engage.redhat.com/e/er?s=1795&lid=1265&elq=abecf6ec5100494893512a8544cce055>

Test for vulnerability:
Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Fix:
Code:
yum update bash

Then reboot.

Jeff
 
my old server running fedora 9
i try yum update yum and it said nothing to update
but it show vulnerable when i run the testing code
 
Hello Jeff,

I guess that's a typo and you wanted to write:

Code:
yum update bash

I've tested it on my box (before update):

Code:
[root@server]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

and after update (without a reboot):

Code:
[root@server]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test


And it's said there we do not need to reboot a server:

Do I need to reboot or restart services after installing this update?

No, once the new bash package is installed, you do not need to reboot or restart any services. This issue only affects the Bash shell during startup, not already running shells. Upgrading the package will ensure all new shells that are started are using the fixed version.


https://access.redhat.com/articles/1200223?sc_cid=70160000000e8eaAAA&
 
try yum update bash, also said nothing to update, and still vulnerable, maybe fedora 9 is too old...
 
Thanks, Alex. I fixed my post. I got the necessity to reboot from the Red Hat vulnerability announcement page I read; I suppose it may not be important.

Jeff
 
try yum update bash, also said nothing to update, and still vulnerable, maybe fedora 9 is too old...

Fedora 9 is too old. For years now I've been suggesting that Fedora is not a good choice for servers because it's lifetime is too short. Not only can't you update bash, but no other yum updates will work either.

You can build bash from source and install but I don't have the instructions handy.

Jeff
 
Fedora 9 is too old. For years now I've been suggesting that Fedora is not a good choice for servers because it's lifetime is too short. Not only can't you update bash, but no other yum updates will work either.

You can build bash from source and install but I don't have the instructions handy.

Jeff

Thanks, I will try build bash from source.
This one is the old server have been setup long time ago, I have a new one with CentOS and running fine, will fade out this old one soon
Thank you for your suggestion.
 
I have download the source, patch it then make files and install it. After reboot, run the testing script again, now it is safe.
Thank you!
 
I think that the reboot is not mandatory. Only the binary is replaced.
Correct me if i am wrong.

i just saw the replies regarding the reboot.
so ingore my post
 
Last edited:
Debian 6.0.10 (does not have upgraded bash in repo. Or?)
Debian 7.6 (has upgraded bash in repo)

are also vulnerable
 
And Red Hat has released another note, reporting that we're still awaiting another fix. I repeat this message as I got it.
The updated/patched bash packages do not fix the entire problem . . .

The original CVE-2014-6271 was patched but left an underlying problem still in place.
A new CVE-2014-7169 has been issued for this problem, but there is no patch yet.

To test for the remaining vulnerability paste the following into a shell
env X='() { (a)=>\' sh -c "echo date";

The above command will return an error on a patched system, but it will still
create a file 'echo'.

I am leaving on a trip (my daughter is playing with the Flagstaff Symphony Orchestra
tomorrow) so I may be out of contact for the next couple of days. Sorry about that.

One note: a reboot is NOT required for patches addressing this issue.
Jeff
 
Code:
[root@server ~]# env X='() { (a)=>\' sh -c "echo date";
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
[root@server ~]#


and file "echo" created before update, and this

Code:
[root@server ~]# env X='() { (a)=>\' sh -c "echo date";
date

after update:

Code:
---> Package bash.x86_64 0:4.1.2-15.el6_5.1 will be updated
---> Package bash.x86_64 0:4.1.2-15.el6_5.2 will be an update
 
Back
Top