Everything you need to know about the Shellshock Bash bug
Source: http://www.troyhunt.com/
What are the potential ramifications?
The potential is enormous getting shell on a box has always been a major win for an attacker because of the control it offers them over the target environment. Access to internal data, reconfiguration of environments, publication of their own malicious code etc. Its almost limitless and its also readily automatable. There are many, many examples of exploits out there already that could easily be fired off against a large volume of machines.
Unfortunately when it comes to arbitrary code execution in a shell on up to half the websites on the internet, the potential is pretty broad. One of the obvious (and particularly nasty) ones is dumping internal files for public retrieval. Password files and configuration files with credentials are the obvious ones, but could conceivably extend to any other files on the system.
Likewise, the same approach could be applied to write files to the system. This is potentially the easiest website defacement vector weve ever seen, not to mention a very easy way of distributing malware
Read more: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
Haven't seen anything posted on this. While most home users are not affected, the internet services you use are going to be affected. What is alarming is the simplicity of the exploit and its broad nature.
Vulnerability Summary for CVE-2014-6271
Original release date: 09/24/2014
Last revised: 09/24/2014
Source: US-CERT/NIST
Overview
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
Impact
CVSS Severity (version 2.0):
CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)
Impact Subscore: 10.0
Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service
Official CVE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
Concerns about patches here:
http://www.theregister.co.uk/2014/09/25/shellshock_bash_worm_type_fears/
defacto7
(13,485 posts)This is a bad one. And if you updated bash yesterday, you need to do it again today. Yesterday's patches were incomplete.
Everyone---> Please update your software in general -> right now. It makes Heartbleed pale in comparison. Where as Heartbleed could only steal information, this one can take over your computer and do anything including destroying your hard drive.
No particular OS is safe... Apple, Linux, Unix even MS is possible since they use a hidden unix shell in the background.
a2liberal
(1,524 posts)Last I checked (before leaving work), I saw no official new patches for the follow-on vulnerabilities. If they've been released I'd appreciate a link Thanks!
defacto7
(13,485 posts)Just ran updates.. then read up about why. There may be more so I'd run updates every day for a while.
http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html
http://www.cbc.ca/news/technology/shellshock-computer-bug-already-exploited-by-hackers-1.2777514?cmp=rss
I found this which leads to Red Hat's patches: http://www.mail-archive.com/ubuntu-bugs@lists.ubuntu.com/msg4501271.html
I have a machine I need to patch manually for various reasons, going to go try that now with the red hat patches
defacto7
(13,485 posts)BadgerKid
(4,555 posts)bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
a2liberal
(1,524 posts)I don't know whether Ubuntu had fixes for the new find... On my phone right now, but one of the links from the new cve I posted in my other post has an example test for it (puts the date into a file called echo just by setting a malformed environment variable and running echo date in a subshell)
davidpdx
(22,000 posts)I'm a doctorate student and losing everything would be pretty much like jumping off a building. I have a computer running Windows 7 and use mostly Chrome for internet, and Microsoft Office 2010 for my writing. For security I have Norton 360.
Edit: I've updated Windows and Norton
Omaha Steve
(99,726 posts)defacto7
(13,485 posts)has dropped.
a2liberal
(1,524 posts)The initial fixes for this bug did not fix things completely... people have found other parsing bugs that are still present and allow similar vulnerabilities. Last I checked (a few hours ago), there were no official patches for the follow-on (though there are proposed patches floating around)
Follow-on CVE: CVE-2014-7169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
defacto7
(13,485 posts)Keep it up because people have to know that they need to get the fixes as they come.
Yesterday's patch was incomplete... there are new ones out this evening... I suspect more will be coming.
Erich Bloodaxe BSN
(14,733 posts)Does this mean any machine running an apache webserver is in danger? And can one simply shut down the webserver to make things secure until OS is updated (in cases where no update specifically to older bash versions has been issued?)
defacto7
(13,485 posts)Any machine is vulnerable to exploit from this problem... but at this moment, any machine running an OS based on UNIX is on the front line and that means Mac and well as Linux. Routers and firewalls are vulnerable if they run a bash based execution system.
Apache could be on any of these OSs and could be hacked if the hacker gets shell, but then they would have access to everything else on the machine as well. You can shut down your server completely or take it off line and that would keep an exploit away but stopping Apache in particular doesn't matter.
Another thing that's misunderstood is that it takes 2 parts to exploit this hole. One is the bash shell and the other is a script in some software that allows the intruder access. No one really knows how many programs or what hardware code have these bits of script that can allow bash to take over. They can fix bash to a point but finding the codes in all the vulnerable programs will be a long and daunting task. That's why everyone needs to update everything regularly.
Specifically, just update/upgrade your server. That's all you can do. I wouldn't worry about shutting down Apache in particular, just upgrade as soon as possible. Remember, this is a new found vulnerability in bash, it's not an exploit or a virus... it's the way a virus gets in. Close the hole before people start using the vulnerability to get in.
Erich Bloodaxe BSN
(14,733 posts)Yeah, I was talking linux - and my bash is definitely older, and no patch has been issued yet. I'm going to have to upgrade the OS version first, I think before they'll even likely make a patch, my OS is out of date. I don't have a lot of ports open on that machine, and the webserver one is the one I would assume most hackers would be aiming for as being most commonly open among infectable machines.
I am so glad I don't work for my last company at this point - we'd have dozens of production servers to take care of at this point, and it would have all been dumped on me.