Shellshock - Final Fix Released: Time to Re-Patch
Bill Malchisky September 29 2014 12:17:00 AM
Author's Note: Thank you to the ICS community for their tremendous support of my first Shellshock post. For those that read it early, you received critical information 14-72 hours before many sites released their stories. Several readers were fully patched before big names tweeted the issue. You were well ahead of the curve. Shellshock stories released over the weekend proved outdated and incomplete. This post provides better information faster. I am grateful for your support.As I mentioned last week, the Shellshock bug is real, but the then available fix handled all exploits but one. Very early on Saturday, 27 September 2014, a patch became available after two days of community scrutiny. Getting patched for this exploit is important to ensure a full complete production-grade solution for the Shellshock bug. Fortunately, the fix for this and two the two additional Bash exploits identified is trivial to apply.
New Exploits Identified
"The original flaw in Bash was assigned CVE-2014-6271. Shortly after that issue went public a researcher found a similar flaw that wasn’t blocked by the first fix and this was assigned CVE-2014-7169. Later, Red Hat Product Security researcher Florian Weimer found additional problems and they were assigned CVE-2014-7186 and CVE-2014-7187. It’s possible that other issues will be found in the future and assigned a CVE designator even if they are blocked by the existing patches." --Via Red Hat's Shellshock FAQ
The excellent work of Florian Weimer at Red Hat in identifying two additional moderate exploits. Because of this, you should see reference to the later exploits if you are using a GUI update tool like Ubuntu's Update Manager (image below). Regardless, follow the respective distro update step provided below to ensure you are protected. Then, test for success.
Red Hat updated their Shellshock Impact Statement for this issue.
Testing for the Initial Remaining Exploit -- CVE-2014-7169
The fix for CVE-2014-7169 ensures that the system is protected from the file creation issue. To test if your version of Bash is vulnerable to CVE-2014-7169, run the following command:
[malchw@localhost Desktop]$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
Positive Result
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
Sun Sep 28 00:03:50 PDT 2014
Negative Result
date
cat: /tmp/echo: No such file or directory
Notations
1. If you are running any Linux appliance, security server, or server application on Linux such as IBM Protector, ensure you test for this exploit
2. Apple Macintosh computers running OS X are in-scope, albeit casual users are a lower risk, power users should take this exploit seriously
3. No reboot is required when updating Bash
4. The fix for CVE-2014-7169 includes fixes for CVE-2014-7186 and CVE-2014-7187 if you updated Bash on or after Saturday, 27 September: indicated with RHSA-2014:1306-1, RHSA-2014:1311-1, and RHSA-2014:1312-1
(Japanese coding fix)
-- RHSA = Red Hat Security Advisory
5. Red Hat just released a Shellshock Vulnerability Detector shell script which you can run instead -- available here
6. The fix for CVE-2014-7169 is Important and should be patched; the two new moderate exploits being addressed is not justification for this type of blog post, just a bonus
Applying the Fix
Some distros released a Bash update early Sunday morning, 28 September. Ubuntu's fix hit my machines at 2:15 am EDT.
Red Hat made the fix available via RHN and all registered systems can download it easily, else you download the file from RHN for manual installation.
The confirmation section below shows you how to ensure you have the correct patch installed, as the fix version management can get confusing.
RHEL: # yum update bash
On my older RHEL 5 box: # rpm -Uvh bash-3.2-33.el5_11.4.i386.rpm
Centos: # yum update bash
Ubuntu: $update-manager -or- $sudo apt-get update
Notations
1. If you receive the message, "No Packages marked for Update", then run # yum clean all && yum bash install
2. If you are still seeing this message and you have not updated bash, pull the latest file from your distro's support site
3. Apple was notified privately by the Bash maintainer several times along with a patch to use: Apple still has not released a fix (as of this post's time-stamp)
4. Hat tip Frank for providing a Mac solution for power users, located here
UPDATES
5. Apple finally released a Bash update for Mavericks, Lion, and Mountain Lion via App Store, as of dinner time, EDT
Hat tip Theo for the patch link
6. IBM released an updated Bash patch for Protector over the weekend, replacing Friday's Bash patch
Hat tip Mathieu for the patch update
Example Output - RHEL 6.5 Client
[root@localhost ~]# yum update bash
Loaded plugins: product-id, refresh-packagekit, rhnplugin, security,
: subscription-manager
This system is receiving updates from Red Hat Subscription Management.
This system is receiving updates from RHN Classic or RHN Satellite.
rhel-6-desktop-rpms | 3.7 kB 00:00
rhel-6-desktop-rpms/primary_db | 27 MB 01:10
rhel-x86_64-client-6 | 1.8 kB 00:00
rhel-x86_64-client-6/primary | 18 MB 00:19
rhel-x86_64-client-6 10417/10417
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package bash.x86_64 0:4.1.2-15.el6_4 will be updated
---> Package bash.x86_64 0:4.1.2-15.el6_5.2 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Updating:
bash x86_64 4.1.2-15.el6_5.2 rhel-6-desktop-rpms 905 k
Transaction Summary
================================================================================
Upgrade 1 Package(s)
Total download size: 905 k
Is this ok [y/N]: y
Downloading Packages:
bash-4.1.2-15.el6_5.2.x86_64.rpm | 905 kB 00:02
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : bash-4.1.2-15.el6_5.2.x86_64 1/2
Cleanup : bash-4.1.2-15.el6_4.x86_64 2/2
rhel-6-desktop-rpms/productid | 1.7 kB 00:00
Verifying : bash-4.1.2-15.el6_5.2.x86_64 1/2
Verifying : bash-4.1.2-15.el6_4.x86_64 2/2
Updated:
bash.x86_64 0:4.1.2-15.el6_5.2
Complete!
Confirmation of Success
[root@localhost ~]# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory
[root@localhost tmp]#
On Red Hat based systems, you want to ensure that you have the ".2" release for your respective newer version, as below for my RHEL 6.5 box
[root@localhost tmp]# rpm -qi bash-4.1.2
rpm -qi bash-4.1.2
Name : bash Relocations: (not relocatable)
Version : 4.1.2 Vendor: Red Hat, Inc.
Release : 15.el6_5.2 Build Date: Thu 25 Sep 2014 08:10:26 AM PDT
Install Date: Sun 28 Sep 2014 12:16:27 AM PDT Build Host: x86-023.build.eng.bos.redhat.com
Results after the first Shellshock Bash release fix -- using my CentOS 6.5 box, which fails the above test (patched after this query).
[bill@localhost tmp]$ rpm -qi bash
Name : bash Relocations: (not relocatable)
Version : 4.1.2 Vendor: CentOS
Release : 15.el6_5.1 Build Date: Wed 24 Sep 2014 07:45:54 AM PDT
Install Date: Wed 24 Sep 2014 11:05:39 PM PDT Build Host: c6b8.bsys.dev.cen
Red Hat Bash Releases with the New Fix (Also Addressing CentOS)
* RHEL 7 - bash-4.2.45-5.el7_0.4
* RHEL 6 - bash-4.1.2-15.el6_5.2
* RHEL 5 - bash-3.2-33.el5_11.4
Additional Mitigation Options
The linked document contains several mitigations if you are waiting for approval to patch, or are unable to patch your servers.
Via Red Hat -- Mitigating the shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169)
- Comments [0]
