LinuxMCE Forums

General => Users => Topic started by: purps on October 01, 2014, 10:08:51 am

Title: Shellshock vulnerability - do we need to do anything?
Post by: purps on October 01, 2014, 10:08:51 am

Not wanting to start a panic or anything, but thought I should ask the question seeing as we are all using Linux and not only that, using it as a gateway/router.

I had an email come round at work warning us of this potential weakness. It was recommended we run the following command...

Quote

env X="() { :;} ; echo vulnerable" /bin/sh -c "echo this is a test

...to see if we are vulnerable. If I am to believe this test, then apparently I am.

What can we do, if anything?

Cheers,
Matt.

Title: Re: Shellshock vulnerability - do we need to do anything?
Post by: coley on October 01, 2014, 11:47:13 am

Code: [Select]

apt-get update && apt-get upgradeshould sort you out - updated bash packages have been released already.

-Coley.

Title: Re: Shellshock vulnerability - do we need to do anything?
Post by: purps on October 01, 2014, 01:20:01 pm

Yeah I was afraid somebody might say that :-)

Is there any way to upgrade only the packages affected by this issue?

Cheers,
Matt.

Title: Re: Shellshock vulnerability - do we need to do anything?
Post by: coley on October 01, 2014, 02:07:53 pm

Code: [Select]

sudo apt-get install bash
-Coley.

Title: Re: Shellshock vulnerability - do we need to do anything?
Post by: purps on October 01, 2014, 04:12:40 pm

I'm getting the following error:

Code: [Select]

Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  bash-doc
Recommended packages:
  bash-completion
The following packages will be upgraded:
  bash
1 upgraded, 0 newly installed, 0 to remove and 172 not upgraded.
Need to get 0B/647kB of archives.
After this operation, 57.3kB disk space will be freed.
WARNING: The following packages cannot be authenticated!
  bash
Authentication warning overridden.
(Reading database ... 132533 files and directories currently installed.)
Preparing to replace bash 4.1-2ubuntu3 (using .../bash_4.1-2ubuntu3.4_i386.deb) ...
Unpacking replacement bash ...
dpkg: error processing /var/cache/apt/archives/bash_4.1-2ubuntu3.4_i386.deb (--unpack):
 trying to overwrite '/bin/sh', which is also in package dash 0:0.5.5.1-3ubuntu2
update-alternatives: using /usr/share/man/man7/bash-builtins.7.gz to provide /usr/share/man/man7/builtins.7.gz (builtins.7.gz) in auto mode.
Processing triggers for man-db ...
Errors were encountered while processing:
 /var/cache/apt/archives/bash_4.1-2ubuntu3.4_i386.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)
I have tried "sudo apt-get install --true-upgrade bash" and "sudo apt-get install --reinstall bash" also.

Cheers,
Matt.

EDIT: Could I chroot from a live CD or something? If yes, to what directory? Or have I misunderstood how one uses chroot?

Title: Re: Shellshock vulnerability - do we need to do anything?
Post by: coley on October 01, 2014, 05:01:24 pm

check out this thread
http://forum.linuxmce.org/index.php?topic=13769.0

-Coley.

Title: Re: Shellshock vulnerability - do we need to do anything?
Post by: purps on October 02, 2014, 11:20:36 am

Saw that but didn't twig that it was the issue I was having, thanks.

I followed the steps to make dash the default shell. I guess that solves the problem in itself.

I tried to then upgrade bash, but it said it was at the newest version - as far as I am aware it never got upgraded. So in any event I hope I'm safe.

Cheers,
Matt.

Title: Re: Shellshock vulnerability - do we need to do anything?
Post by: phenigma on October 02, 2014, 06:29:55 pm

Keep in mind that the majority of LMCE scripts are bash based and are not compatible with dash.  You will want to ensure that bash is updated and functional.

J.

Title: Re: Shellshock vulnerability - do we need to do anything?
Post by: mkbrown69 on October 03, 2014, 01:49:00 am

You really want to patch your bash.  There are 6 CVE alerts against this, all with a CVSS score of 10 (meaning really bad).  I've been dealing with this at work, on almost every flavor of *nix out there.

Run

Code: [Select]

sudo apt-get update && cat /etc/lsb-release && sudo apt-cache policy bash
If Candidate is not the same as Installed, you're not patched to the latest available.

Code: [Select]

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.5 LTS"
bash:
  Installed: 4.2-2ubuntu2.5
  Candidate: 4.2-2ubuntu2.5
  Version table:
 *** 4.2-2ubuntu2.5 0

Your version number should be equal or greater than the ones listed at this link:

http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7187.html

Ubuntu 10.04 LTS (Lucid Lynx):   released (4.1-2ubuntu3.4)
Ubuntu 12.04 LTS (Precise Pangolin):   released (4.2-2ubuntu2.5)
Ubuntu 14.04 LTS (Trusty Tahr):   released (4.3-7ubuntu1.4)
Ubuntu 14.10 (Utopic Unicorn):   released (4.3-9ubuntu4)

The gory details are all here:

http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6271.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6277.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6278.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7169.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7186.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7187.html

Hope that helps!

/Mike

Title: Re: Shellshock vulnerability - do we need to do anything?
Post by: purps on October 03, 2014, 10:05:43 am

Thanks for the expert help guys. My 10.04 installation is showing "Installed: 4.1-2ubuntu3.4" which matches the candidate, so looks like I'm good.

Cheers,
Matt.

Title: Re: Shellshock vulnerability - do we need to do anything?
Post by: bushtech on October 03, 2014, 11:22:07 am

Thank you Mike, that worked brilliantly! All my machines updated