Major Bash vulnerability affects Linux, Unix, Mac Os x (shell shock)

Discussion in 'other security issues & news' started by Minimalist, Sep 24, 2014.

  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    @lotuseclat79 the above works on Ubuntu 12.04, but not on Fedora 20; their patch appears to be better. Not sure about Ubuntu 14.04. Just FYI.

    I am absolutely hating this...
     
  2. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Tested one of my Debian 7.6 (Wheezy) boxes after I updated everything (including bash obviously). Looks like Debian is ok.
     
  3. dewilder

    dewilder Registered Member

    Joined:
    Jun 20, 2013
    Posts:
    10
    OS mavericks vunerable
     
  4. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    "No it isn't, Apple said we have nothing to worry about!"

    (Sigh.)
     
  5. dewilder

    dewilder Registered Member

    Joined:
    Jun 20, 2013
    Posts:
    10
    the patch in https://shellshocker.net/#update for OS MAC
    doesnt fix all the exploit in mac :(
     
    Last edited by a moderator: Sep 26, 2014
  6. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    @dewilder not sure if I trust that site. The 'curl ... | sh -' command it advises would be nothing short of insane to run on a production server.

    Edit: err. If you installed the patch and it doesn't fix anything, you might want to consider that you just might have compromised your Mac. Not necessarily, but yeah.

    I'm going to look at the shell script from the site...

    Edit 2: okay, what it does is download and compile bash with the latest upstream patches... except for one, patch #026, for another vulnerability found by Tavis Ormandy:

    ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-026

    Long story short, it appears to work almost as advertised. But running someone else's shell script as root, on a production machine, without even looking at it, is still highly inadvisable. Good intentions there, but I really can't condone that site, because it promotes awful habits.
     
    Last edited: Sep 26, 2014
  7. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,290
    Location:
    EU
  8. silverfoxuk

    silverfoxuk Registered Member

    Joined:
    Sep 27, 2014
    Posts:
    4
    McAfee seem to be having a problem with this:

    McAfee Security Bulletin: (CVE-2014-6271) Bash Bug/Shellshock Code Injection Exploit (SB10085)
    Several McAfee products are vulnerable to the Bash Bug/Shellshock Code Injection Exploit (CVE-2014-6271). Investigation into all McAfee products is ongoing. See SB10085 for a list of vulnerable products and available mitigation, as well as a list of those products not vulnerable. SB10085 will be frequently updated as additional information is available.

    McAfee Security Bulletin - The Bash Shellshock Code Injection Exploit Updates
    https://kc.mcafee.com/corporate/index?page=content&id=SB10085
     
  9. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area

    "Apple says most Mac users are safe from 'Shellshock' Bash bug, promises quick fix

    Brad Chacos @BradChacos Sep 26, 2014 9:00 AM

    Yes, recent versions of Mac OS X are vulnerable to the critical “Shellshock” Bash bug revealed earlier this week, including OS X Mavericks—but don’t sweat it unless you’re doing ninja-level Unix tricks with shell commands already.

    That comes straight from Apple, which provided iMore with the following comment on the Shellshock bug:

    The vast majority of OS X users are not at risk to recently reported bash vulnerabilities… With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”

    If you’re one of those advanced Unix users, check out this StackExchange thread for instructions on how to recompile Bash with Xcode to squash the bug. That’s a highly technical fix, however, and you should just wait for the official OS X patch if you’re not comfortable mucking around in the Terminal command line.

    Check out Macworld’s guide to keeping your home computer safe from Shellshock for more info, including details about home networking gear that might also be vulnerable to the Bash bug.

    http://www.macworld.com/article/268...m-shellshock-bash-bug-promises-quick-fix.html
     
  10. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    http://blog.trendmicro.com/trendlab...s-seen-shellshock-exploit-attempts-in-brazil/
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    http://securityaffairs.co/wordpress/28684/security/mac-oracle-bash-bug.html
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  15. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    I demand a tax refund!! Why didn't NSA discover and use thiso_O?

    Ummm. Maybe they did.
     
  16. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    The bug was there for decades. I think they knew about it and used it also :)
     
  17. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,052
    Location:
    Texas
  18. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Summary of Shellshock-Related Stories and Materials
    http://blog.trendmicro.com/trendlab...-of-shellshock-related-stories-and-materials/
     
  19. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    "Security researchers have found new flaws in bash, rendering previous patches ineffective.

    Your system is still vulnerable to the Shellshock bug, even if you’ve patched it. Security researchers have found new flaws in bash, rendering previous patches ineffective.

    Linux stewardship company Red Hat released a series of fixes to patch up the eight or so versions of bash that were vulnerable. On Friday, Red Hat released a second round of patches to resolve newly discovered security flaws, and those discoveries keep coming.........

    Google security researcher Michal "lcamtuf" Zalewski has been tweeting as he uncovers increasingly serious vulnerabilities in the bash shell. He recommends Red Hat security researcher Florian Weimer’s still-unofficial patch..........

    http://readwrite.com/2014/09/29/security-flaws-ineffective-bash-shellshock-bug

    Posted today, 9/29/14 at 9:45AM

    ...............................

    "Further flaws render Shellshock patch ineffective

    Sep 29, 2014 10:19 AM



    Patched systems remain vulnerable.

    The Shellshock vulnerability in the commonly used Bash command line interpreter shell is likely to require more patches, as security researchers continue to unearth further problems in the code.

    Google security researcher Michal "lcamtuf" Zalewski has disclosed to iTnews that over the past two days he has discovered two previously unaddressed issues in the Bash function parser, one of which is as bad as the original Shellshock vulnerability.

    "The first one likely permits remote code execution, but the attack would require a degree of expertise to carry out," Zalewski said..............

    Zalewski has discussed the vulnerabilities with the groups that volunteer to maintain Bash and to Linux OS vendors directly involved in attempting to resolve the original Shellshock vulnerability.

    "We want to give people some time to update before we share additional details," Zalewski said...........

    There is an unofficial patch ready, Zalewski said and he recommends users apply it urgently.

    "Somewhere in the middle of all this, Florian Weimer developed an unofficial patch that mitigates this and all future problems in the bash function parser by shielding it from remotely-originating data.

    "As of today, this patch is already shipping with several Linux distributions, but many users will need to update manually," he added........

    Full Story: http://www.itnews.com.au/News/396256,further-flaws-render-shellshock-patch-ineffective.aspx

    ................
    A Good Read on the History of Bash:

    "The Internet Is Broken, and Shellshock Is Just the Start of Our Woes

    ............When Bash was built, no one thought to audit it for internet attacks because that didn’t really make sense. 'Worrying about this being one of the most [used] pieces of software pieces of software on the planet and then having malicious people attack it was just not a possibility,'........

    In digital terms, Fox’s Bash program was about the same size as, say, a photograph snapped with your iPhone. But back in 1987, he couldn’t email it across the country. The internet was only just getting off the ground. There was no world wide web, and the most efficient way to move that much data across the country was to put it in the trunk of a car."

    Full Read here: http://www.wired.com/2014/09/shellshocked-bash/
     
    Last edited: Sep 29, 2014
  20. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    This is awful, and I'm afraid is representing the iceberg.

    Improving the situation structurally is going to take years, and require a sea-change in approaches to liability and money. The problem right now is that Joe Public's interests are being trashed by governments and corporations when it comes to the internet. Incomprehensible Tos and EULAs which provide no real liability for corporates that do not do proper due diligence on the systems they use, including having proper maintenance contracts and security audits of the systems, and spending a decent amount of money on getting high quality reviewed Open Source code. At the same time, we have governments actively attacking and weakening systems, not revealing vulnerabilities.

    Because neither governments nor corporations pay the direct cost of breaches (of OUR data), they have no particular incentive to change this, and so the bad guys can make hay.
     
  21. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  22. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,052
    Location:
    Texas
  23. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  24. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    http://www.fireeye.com/blog/technical/2014/10/the-shellshock-aftershock-for-nas-administrators.html
     
  25. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    http://www.securitybistro.com/?p=8945
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.