Choose style:

Author Topic: "Shellshock" Bash Vulnerability Report  (Read 6006 times)

0 Members and 1 Guest are viewing this topic.

Offline AndyInMokum

  • Global Moderator
  • Hero
  • *****
  • Posts: 4808
  • Karma: 1012
  • "Keep on Rockin' in the Free World"
    • View Profile
  • Peppermint version(s): PM 9 & PM 8 Respin-2 (64-bit)
"Shellshock" Bash Vulnerability Report
« on: September 25, 2014, 10:30:31 am »
Just to let everyone know  that a "Bash" vulnerability has been identified.  The bug, dubbed "Shellshock", can be used to remotely take control of almost any system using Bash, researchers said.  It has been advised that desktops and servers be updated as soon as possible.  For more information and a guide to Patch instructions,  please click on the following link: "Shellshock" Bash Vulnerability.

Stay safe

Andy
Backup! Backup! Backup! If you're missing any of these -  you ain't Backed Up!
For my system info please L/click HERE.

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25091
  • Karma: 2777
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
Re: "Shellshock" Bash Vulnerability Report
« Reply #1 on: September 25, 2014, 11:36:01 am »
If your Peppermint One, Ice, Three, or Five installation is up to date .. you are "semi" protected.

A patch that was "supposed" to fix the CVE-2014-6271 vulnerabillity was released and Ubuntu duly released a patched version of bash as a security update, but the patch has been found to be  "incomplete", and has been reassigned CVE-2014-7169

I'd expect another update to follow shortly as the whole Linux development community will be working on this.

In reality, for most "desktop" users, this was a non-issue in  the first place .. it could only be exploited by someone with local access, or remotely if you're offering remote services such as allowing incoming SSH connections (not available by default) or serving a website (again not a default).

So again this is more of a problem for network admins and webserver admins .. and all they really need to do is stay on top of updates.
« Last Edit: September 25, 2014, 11:42:59 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 3813
  • Karma: 299
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
Re: "Shellshock" Bash Vulnerability Report
« Reply #2 on: September 26, 2014, 07:29:38 am »
I found this article this morning in the New York Times.  Nichole Perlroth's article is entitled:  Security Experts Expect ‘Shellshock’ Software Bug in Bash to Be Significant 

If you want to read a quick history lesson on Bash, then this article is a good one.

http://www.nytimes.com/2014/09/26/technology/security-experts-expect-shellshock-software-bug-to-be-significant.html?ref=technology

And here's Nichole Perlroth's second article on the subject today.  It appears as if lots of companies are scrambling to fix the bug while, at the same time, lots of hackers are trying to exploit the bug.

http://bits.blogs.nytimes.com/2014/09/26/companies-rush-to-fix-shellshock-software-bug-as-hackers-launch-thousands-of-attacks/
« Last Edit: September 26, 2014, 05:38:45 pm by perknh »
We're all Peppermint users and that's what matters  ;).  -- AndyInMokum

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25091
  • Karma: 2777
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
Re: "Shellshock" Bash Vulnerability Report
« Reply #3 on: September 26, 2014, 07:56:09 am »
Oh I've seen more sensationalist headlines than that  ::) .. how about this from The Register:-

Patch Bash NOW: 'Shell Shock' bug blasts OS X, Linux systems wide open

Here's the lowdown as I see it - According to the redhat advisory announcement:
https://access.redhat.com/articles/1200223
the *possible* exploit vectors are:-
(I say *possible* because so far I'm unaware of any "actual" exploits, except some "proof of concept" code)

a) Using CGI scripts on a webserver that call bash - No self respecting web admin does this, and it's NOT a "user" problem even if/where they do.

b) Privilege escalation over ssh via bash scripts - Presenting SSH to the interweb/network is in my opinion something a network admin shouldn't be doing anyway (IMHO ssh should ONLY be presented through a certificate authenticated VPN tunnel) .. again, not a desktop Linux user problem (and Peppermint like most desktop distros don't have an openssh server running by default anyway), but a possible network admin issue.

c) Via a malicious DHCP server - OK, this is a possible risk if you regularly use wifi in say a coffeeshop/airpoort/etc and unsuspectingly get your IP assigned by a "man in the middle" malicious DHCP server. .. but were you EVER safe from "man in the middle" attacks ? .. connecting to unknown networks was ALWAYS inherently risky .. even with this  bug patched, you're still open to packet interception.
(so the "big news" here is - Unknown networks are risky .. well duh !!!!)

d) Via a malicious CUPS server - See (c) above .. connecting to a printer via an unknown network.... blah blah, blah....

The world didn't come to an end with heartbleed (contrary to the press sensationalist predictions), it won't with this .. DON'T PANIC, just stay on top of updates, this is NOT a desktop Linux "user" problem .. it's a network admin problem, and there are mitigations available to them as well as the patched version of bash.

Mitigations for network admins:
https://access.redhat.com/articles/1212303



[EDIT]

I've just received a another security update to bash ..  hopefully this puts this bug to bed.

Quote
Changelog

bash (4.3-7ubuntu1.3) trusty-security; urgency=medium

  * Updated debian/patches/CVE-2014-7169.diff to also patch y.tab.c in
    case it doesn't get regenerated when built (LP: #1374207)
 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>   Thu, 25 Sep 2014 21:20:03 -0400

CVE-2014-6271
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6271.html
fix released,

CVE-2014-7169
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7169.html
fix released.

Guess we'll have to wait and see if anyone finds this one "incomplete" :)
« Last Edit: September 26, 2014, 02:58:31 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline damig

  • Member
  • ***
  • Posts: 126
  • Karma: 9
  • New Forum User
    • View Profile
  • Peppermint version(s): 5 (32), 7 (64)
Re: "Shellshock" Bash Vulnerability Report
« Reply #4 on: September 27, 2014, 05:28:45 am »
Hi PCNetSpec and thx for the posts, you are among only few that got this down and are sharing it..
I guess the update is automatic with default setup (daily) of the 'software & updates'? Tried following your links down the rabbit hole....
I really feel privileged being a peppermint.

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25091
  • Karma: 2777
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
Re: "Shellshock" Bash Vulnerability Report
« Reply #5 on: September 27, 2014, 05:50:10 am »
Yeah updates *should* be automatic, but can't hurt to run a manual update just in case ;)

menu > System Tools > Software Updater

You can check your bash version with:
Code: [Select]
dpkg -s bash | grep -i version
Fixed versions are:-

Peppermint 5 = 4.3-7ubuntu1.3

Peppermint 3 = 4.2-2ubuntu2.3

Peppermint One/Ice = 4.1-2ubuntu3.2

There is NO fix for Peppermint 2 and 4 (and there won't be) .. if you are still running 2 or 4 and are worried about this, your only options would be to attempt to compile from source, or upgrade Peppermint.

[EDIT]

Nearly forgot .. you're most welcome damig :)
« Last Edit: September 27, 2014, 06:04:56 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 3813
  • Karma: 299
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
Re: "Shellshock" Bash Vulnerability Report
« Reply #6 on: September 27, 2014, 03:13:58 pm »
Thank you AndyInMokum, and PCNetSpec, for keeping us informed, and up to date, concerning this  ‘Shellshock’ Software Bug.

Our two home Peppermint OSes now have Bash Version: 4.3-7ubuntu1.4.

I read we should still wait a few days before making credit cards purchases online.  I suspect this advice is to keep us on the safe side of things in case some companies are slow to update, or upgrade, their servers.

I second damig's thoughts here:                                                   

It's a privilege to be member of Peppermint Nation!  :)

Thank you, both.

perknh
We're all Peppermint users and that's what matters  ;).  -- AndyInMokum

Offline AndyInMokum

  • Global Moderator
  • Hero
  • *****
  • Posts: 4808
  • Karma: 1012
  • "Keep on Rockin' in the Free World"
    • View Profile
  • Peppermint version(s): PM 9 & PM 8 Respin-2 (64-bit)
Re: "Shellshock" Bash Vulnerability Report
« Reply #7 on: September 27, 2014, 06:32:53 pm »
According to the newspaper's, this was the BIG one.  The Four Horsemen of the Apocalypse were on their way  :o!!  Strangely enough, when I woke up this morning I found the world is still turning, the sky is still blue and beer is still too expensive  ;D

I took some friends to the Apple store here is Amsterdam because they wanted to compare the new "bendy" iPhone to the Samsung Note.  The sheep in there were still bleating too  :P.  They were completely oblivious to the potential problems they face.  Mind you, Apple don't have many public facing servers; its not their thing.  That's probably why they are not in a panic.

I think the boys and girls at Redhat, CentOS etc have this all under control, (as usual).  This is a great example of how the Open-source community comes together and just gets things done  ;)!!
« Last Edit: September 27, 2014, 07:26:57 pm by AndyInMokum »
Backup! Backup! Backup! If you're missing any of these -  you ain't Backed Up!
For my system info please L/click HERE.

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25091
  • Karma: 2777
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
Re: "Shellshock" Bash Vulnerability Report
« Reply #8 on: September 27, 2014, 06:52:30 pm »
@ perknh

thanks for the new bash update info :)

@ AndyInMokum

According to the newspaper's, this was the BIG one.  The Four Horsemen of the Apocalypse were on their way  :o!!  Strangely enough, when I woke up this morning I found the world is still turning, the sky is still blue and beer is still too expensive  ;D

...[snip]...

I think the boy and girls at Redhat, CentOS etc have this all under control, (as usual).  This is a great example of how the Open-source community comes together and just gets things done  ;)!!

Couldn't have put it better myself :)
« Last Edit: September 27, 2014, 06:55:49 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline iamesperambient

  • Veteran
  • ****
  • Posts: 1269
  • Karma: 89
  • a totally awesome dude
    • View Profile
    • i AM esper (drone ambient music)
  • Peppermint version(s): Peppermint 8 64 bit
Re: "Shellshock" Bash Vulnerability Report
« Reply #9 on: September 28, 2014, 04:34:57 pm »
4.3-7ubuntu1.1 this is what my peppermint 5 is i suppose this is not the update how do i manually update to this fixed version?
http://iamesper.bandcamp.com
boring drone music from NJ

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 3813
  • Karma: 299
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
Re: "Shellshock" Bash Vulnerability Report
« Reply #10 on: September 28, 2014, 04:47:24 pm »
Hello iamesperambient,

Try running these commands in your terminal.  Do one at a time:

sudo apt-get update

sudo apt-get upgrade

sudo apt-get dist-upgrade

You should end up with Bash Version: 4.3-7ubuntu1.4 after running those commands.

You can check by running PCNetSpec's command in the terminal after you've updated, upgraded, and dist-upgraded.  The code he gave us was:  dpkg -s bash | grep -i version

You can see PCNetSpec's code, or command, a few posts above ours.

Good luck!  ;)

perknh
We're all Peppermint users and that's what matters  ;).  -- AndyInMokum

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25091
  • Karma: 2777
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
Re: "Shellshock" Bash Vulnerability Report
« Reply #11 on: September 28, 2014, 07:00:39 pm »
As perknh says, to run a full system update from the command line, run these commands in sequence
Code: [Select]
sudo apt-get update
then
Code: [Select]
sudo apt-get upgrade
then
Code: [Select]
sudo apt-get dist-upgrade
then when that last command has finished, just in case you received a kernel update .. REBOOT.

Once rebooted, you can check your bash version with:
Code: [Select]
dpkg -s bash | grep -i version
latest fixed versions are:-

Peppermint 5 = 4.3-7ubuntu1.4

Peppermint 3 = 4.2-2ubuntu2.5

Peppermint One/Ice = 4.1-2ubuntu3.4

There are NO fixes for bash in Peppermint 2 and 4 (and there won't be) .. if you are still running 2 or 4 and are worried about this, your only options would be to attempt to compile from source, or upgrade Peppermint.
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline iamesperambient

  • Veteran
  • ****
  • Posts: 1269
  • Karma: 89
  • a totally awesome dude
    • View Profile
    • i AM esper (drone ambient music)
  • Peppermint version(s): Peppermint 8 64 bit
Re: "Shellshock" Bash Vulnerability Report
« Reply #12 on: September 29, 2014, 03:09:14 am »
thanks all that worked!!!!
http://iamesper.bandcamp.com
boring drone music from NJ

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 3813
  • Karma: 299
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
Re: "Shellshock" Bash Vulnerability Report
« Reply #13 on: September 29, 2014, 02:49:41 pm »
You're welcome.  That's great!  :)
We're all Peppermint users and that's what matters  ;).  -- AndyInMokum

Offline iamesperambient

  • Veteran
  • ****
  • Posts: 1269
  • Karma: 89
  • a totally awesome dude
    • View Profile
    • i AM esper (drone ambient music)
  • Peppermint version(s): Peppermint 8 64 bit
Re: "Shellshock" Bash Vulnerability Report
« Reply #14 on: September 29, 2014, 10:46:51 pm »
just curious any reason why it did not update automatically by its self to this?
i feel like my updater is not working correctly any way to see if there is an issue with that?
http://iamesper.bandcamp.com
boring drone music from NJ