Author Topic: Shellshock vulnerability - do we need to do anything?  (Read 1935 times)

purps

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1402
  • If it ain't broke, tweak it
    • View Profile
Shellshock vulnerability - do we need to do anything?
« on: October 01, 2014, 10:08:51 am »
Not wanting to start a panic or anything, but thought I should ask the question seeing as we are all using Linux and not only that, using it as a gateway/router.

I had an email come round at work warning us of this potential weakness. It was recommended we run the following command...
Quote
env X="() { :;} ; echo vulnerable" /bin/sh -c "echo this is a test

...to see if we are vulnerable. If I am to believe this test, then apparently I am.

What can we do, if anything?

Cheers,
Matt.
1004 RC :: looking good :: upgraded 01/04/2013
my setup :: http://wiki.linuxmce.org/index.php/User:Purps

coley

  • Guru
  • ****
  • Posts: 492
    • View Profile
Re: Shellshock vulnerability - do we need to do anything?
« Reply #1 on: October 01, 2014, 11:47:13 am »
Code: [Select]
apt-get update && apt-get upgradeshould sort you out - updated bash packages have been released already.

-Coley.

purps

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1402
  • If it ain't broke, tweak it
    • View Profile
Re: Shellshock vulnerability - do we need to do anything?
« Reply #2 on: October 01, 2014, 01:20:01 pm »
Yeah I was afraid somebody might say that :-)

Is there any way to upgrade only the packages affected by this issue?

Cheers,
Matt.
1004 RC :: looking good :: upgraded 01/04/2013
my setup :: http://wiki.linuxmce.org/index.php/User:Purps

coley

  • Guru
  • ****
  • Posts: 492
    • View Profile
Re: Shellshock vulnerability - do we need to do anything?
« Reply #3 on: October 01, 2014, 02:07:53 pm »
Code: [Select]
sudo apt-get install bash
-Coley.

purps

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1402
  • If it ain't broke, tweak it
    • View Profile
Re: Shellshock vulnerability - do we need to do anything?
« Reply #4 on: October 01, 2014, 04:12:40 pm »
I'm getting the following error:

Code: [Select]
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  bash-doc
Recommended packages:
  bash-completion
The following packages will be upgraded:
  bash
1 upgraded, 0 newly installed, 0 to remove and 172 not upgraded.
Need to get 0B/647kB of archives.
After this operation, 57.3kB disk space will be freed.
WARNING: The following packages cannot be authenticated!
  bash
Authentication warning overridden.
(Reading database ... 132533 files and directories currently installed.)
Preparing to replace bash 4.1-2ubuntu3 (using .../bash_4.1-2ubuntu3.4_i386.deb) ...
Unpacking replacement bash ...
dpkg: error processing /var/cache/apt/archives/bash_4.1-2ubuntu3.4_i386.deb (--unpack):
 trying to overwrite '/bin/sh', which is also in package dash 0:0.5.5.1-3ubuntu2
update-alternatives: using /usr/share/man/man7/bash-builtins.7.gz to provide /usr/share/man/man7/builtins.7.gz (builtins.7.gz) in auto mode.
Processing triggers for man-db ...
Errors were encountered while processing:
 /var/cache/apt/archives/bash_4.1-2ubuntu3.4_i386.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

I have tried "sudo apt-get install --true-upgrade bash" and "sudo apt-get install --reinstall bash" also.

Cheers,
Matt.

EDIT: Could I chroot from a live CD or something? If yes, to what directory? Or have I misunderstood how one uses chroot?
« Last Edit: October 01, 2014, 04:19:42 pm by purps »
1004 RC :: looking good :: upgraded 01/04/2013
my setup :: http://wiki.linuxmce.org/index.php/User:Purps


purps

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1402
  • If it ain't broke, tweak it
    • View Profile
Re: Shellshock vulnerability - do we need to do anything?
« Reply #6 on: October 02, 2014, 11:20:36 am »
Saw that but didn't twig that it was the issue I was having, thanks.

I followed the steps to make dash the default shell. I guess that solves the problem in itself.

I tried to then upgrade bash, but it said it was at the newest version - as far as I am aware it never got upgraded. So in any event I hope I'm safe.

Cheers,
Matt.
1004 RC :: looking good :: upgraded 01/04/2013
my setup :: http://wiki.linuxmce.org/index.php/User:Purps

phenigma

  • LinuxMCE God
  • ****
  • Posts: 1721
    • View Profile
Re: Shellshock vulnerability - do we need to do anything?
« Reply #7 on: October 02, 2014, 06:29:55 pm »
Keep in mind that the majority of LMCE scripts are bash based and are not compatible with dash.  You will want to ensure that bash is updated and functional.

J.

mkbrown69

  • Guru
  • ****
  • Posts: 213
    • View Profile
Re: Shellshock vulnerability - do we need to do anything?
« Reply #8 on: October 03, 2014, 01:49:00 am »
You really want to patch your bash.  There are 6 CVE alerts against this, all with a CVSS score of 10 (meaning really bad).  I've been dealing with this at work, on almost every flavor of *nix out there.

Run
Code: [Select]
sudo apt-get update && cat /etc/lsb-release && sudo apt-cache policy bash
If Candidate is not the same as Installed, you're not patched to the latest available.

Code: [Select]
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.5 LTS"
bash:
  Installed: 4.2-2ubuntu2.5
  Candidate: 4.2-2ubuntu2.5
  Version table:
 *** 4.2-2ubuntu2.5 0


Your version number should be equal or greater than the ones listed at this link:

http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7187.html

Ubuntu 10.04 LTS (Lucid Lynx):   released (4.1-2ubuntu3.4)
Ubuntu 12.04 LTS (Precise Pangolin):   released (4.2-2ubuntu2.5)
Ubuntu 14.04 LTS (Trusty Tahr):   released (4.3-7ubuntu1.4)
Ubuntu 14.10 (Utopic Unicorn):   released (4.3-9ubuntu4)

The gory details are all here:

http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6271.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6277.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6278.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7169.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7186.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7187.html

Hope that helps!

/Mike
« Last Edit: October 03, 2014, 01:56:01 am by mkbrown69 »

purps

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1402
  • If it ain't broke, tweak it
    • View Profile
Re: Shellshock vulnerability - do we need to do anything?
« Reply #9 on: October 03, 2014, 10:05:43 am »
Thanks for the expert help guys. My 10.04 installation is showing "Installed: 4.1-2ubuntu3.4" which matches the candidate, so looks like I'm good.

Cheers,
Matt.
1004 RC :: looking good :: upgraded 01/04/2013
my setup :: http://wiki.linuxmce.org/index.php/User:Purps

bushtech

  • Veteran
  • ***
  • Posts: 98
    • View Profile
Re: Shellshock vulnerability - do we need to do anything?
« Reply #10 on: October 03, 2014, 11:22:07 am »
Thank you Mike, that worked brilliantly! All my machines updated
Core:Asus P8H77-V, Intel core i3-3240 LGA155, Inno 3D Nvidia 240 GT (DVI+VGA+HDMI), 4Gb ram, 125Gb SSD
MD: Zotax Zbox ID41