PauloV Posted September 26, 2014 Report Posted September 26, 2014 (edited) Hello, Just to warning all server admins that still dont know about "shellshock" security risk, to test and update imidiatly the servers, or else.... Full details here: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ http://forums.cpanel.net/f185/bash-code-injection-vulnerability-via-specially-crafted-environment-variables-cve-2014-6271-a-429671.html https://www.webhostingtalk.com/showthread.php?t=1414839 https://access.redhat.com/articles/1200223 The fix, still dosent fix 100% of the problem, but helps: 100% Resolved on Bash Update: https://access.redhat.com/security/cve/CVE-2014-6271 Still not resolved: 100% Resolved on Bash Update: https://access.redhat.com/security/cve/CVE-2014-7169 Fix for CVE-2014-6271 and CVE-2014-7169 On SSH execute the folowing For Red Hat Linux Distros or CloudLinux Just do this: yum clean all yum update bash For Ubuntu/Debian do this: apt-get update apt-get upgrade To check if you are running the latest Bash, do this: rpm -qa bash You dont need to reboot the server. You have to have in Red Hat 6, at least version 5.2 of bash. Dont ignore this or you will get real nightmares ===================== Here some test tools to detect some of the "shellshock" security: http://shellshock.brandonpotter.com/ http://www.shellshocktest.com/ Use the above test links at your own risk ===================== Edited September 26, 2014 by PauloV Quote
Michael Posted September 26, 2014 Report Posted September 26, 2014 They fixed both CVE-'s today so ensure it says: Use: yum list installed | grep bash Should see: bash.x86_64 4.1.2-15.el6_5.2 @updates ------ Downloading Packages: bash-4.1.2-15.el6_5.2.x86_64.rpm | 905 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : bash-4.1.2-15.el6_5.2.x86_64 1/2 Cleanup : bash-4.1.2-15.el6_5.1.x86_64 2/2 Verifying : bash-4.1.2-15.el6_5.2.x86_64 1/2 Verifying : bash-4.1.2-15.el6_5.1.x86_64 2/2 Updated: bash.x86_64 0:4.1.2-15.el6_5.2 PauloV 1 Quote
PauloV Posted September 26, 2014 Author Report Posted September 26, 2014 Here some test tools to detect some of the "shellshock" security: http://shellshock.brandonpotter.com/ http://www.shellshocktest.com/ Use the above at your own risk Note: 100% Resolved on Bash Update: https://access.redhat.com/security/cve/CVE-2014-6271 Still not resolved: https://access.redhat.com/security/cve/CVE-2014-7169 Quote
Michael Posted September 26, 2014 Report Posted September 26, 2014 Here some test tools to detect some of the "shellshock" security: http://shellshock.brandonpotter.com/ http://www.shellshocktest.com/ Note: 100% Resolved on Bash Update: https://access.redhat.com/security/cve/CVE-2014-6271 Still not resolved: https://access.redhat.com/security/cve/CVE-2014-7169 From what I'm aware of: CVE=2014-6271 Fixed in: bash-4.1.2-15.el6_4.x86_64 CVE-2014-7169 Fixed in: bash-4.1.2-15.el6_5.1.x86_64 Quote
Daniel B Posted September 26, 2014 Report Posted September 26, 2014 I would be wary of using online tools to check for this vulnerability...as there is no way to tell which ones truly have your best interest in mind, and which ones are just trying to gather a list of vulnerable systems to sell to the highest bidder. It's easy enough to test for this on the server itself, without having to worry about a third party trying to exploit your server (which is what all of these tests are doing...). Just my opinion though. Michael 1 Quote
PauloV Posted September 26, 2014 Author Report Posted September 26, 2014 I would be wary of using online tools to check for this vulnerability...as there is no way to tell which ones truly have your best interest in mind, and which ones are just trying to gather a list of vulnerable systems to sell to the highest bidder. It's easy enough to test for this on the server itself, without having to worry about a third party trying to exploit your server (which is what all of these tests are doing...). Just my opinion though. I only publish the links because I have checked some background first, and ofcourse the Code on testing is public available But thanks for the warning and I have added an warning note above on the test links Quote
PauloV Posted September 26, 2014 Author Report Posted September 26, 2014 From what I'm aware of: CVE=2014-6271 Fixed in: bash-4.1.2-15.el6_4.x86_64 CVE-2014-7169 Fixed in: bash-4.1.2-15.el6_5.1.x86_64 Some confusing data rouling out, the fix was released 2 hours ago OK, doing some digg I found the new patch: https://access.redhat.com/articles/1200223 https://bugzilla.redhat.com/show_bug.cgi?id=1146319 Patch for Red Hat 5, 6 and 7: https://rhn.redhat.com/errata/RHSA-2014-1306.html The updated and correct version is: ==Red Hat V5 == 32: bash-3.2-33.el5_11.4.i386.rpm 64: bash-3.2-33.el5_11.4.x86_64.rpm ==Red Hat V6 (most used on servers) == 64: bash-4.1.2-15.el6_5.2.x86_64.rpm ==Red Hat V7 == 64: bash-4.2.45-5.el7_0.4.x86_64.rpm Quote
Michael Posted September 26, 2014 Report Posted September 26, 2014 Some confusing data rouling out, the fix was released 2 hours ago ==Red Hat V6 (most used on servers) == 64: bash-4.1.2-15.el6_5.2.x86_64.rpm Merci mate, bloody hell they said expect more than one patch but man 2 in a day, oh well better safe than sorry. I was just doing a client's server and mine and his server was updated with CloudLinux 6. Mine was updated via Centos updates repo (I think InterWorx ran it for us) [root@system ~]# yum update bash -y Loaded plugins: fastestmirror, replace Determining fastest mirrors epel/metalink | 16 kB 00:00 * base: centos.mirror.nac.net * epel: mirror.cs.pitt.edu * extras: mirror.symnds.com * remi: remi.check-update.co.uk * updates: centos.aol.com * webtatic: us-east.repo.webtatic.com base | 3.7 kB 00:00 base/primary_db | 4.4 MB 00:01 epel | 4.4 kB 00:00 epel/primary_db | 6.3 MB 00:00 extras | 3.3 kB 00:00 extras/primary_db | 19 kB 00:00 interworx-beta | 2.5 kB 00:00 interworx-beta/primary_db | 38 kB 00:00 interworx-beta-noarch | 2.5 kB 00:00 interworx-beta-noarch/primary_db | 43 kB 00:00 interworx-release | 2.5 kB 00:00 interworx-release/primary_db | 174 kB 00:00 interworx-release-candidate | 2.5 kB 00:00 interworx-release-candidate/primary_db | 57 kB 00:00 interworx-release-candidate-noarch | 2.5 kB 00:00 interworx-release-candidate-noarch/primary_db | 164 kB 00:00 interworx-release-noarch | 2.5 kB 00:00 interworx-release-noarch/primary_db | 252 kB 00:00 interworx-stable | 2.5 kB 00:00 interworx-stable/primary_db | 135 kB 00:00 interworx-stable-noarch | 2.5 kB 00:00 interworx-stable-noarch/primary_db | 157 kB 00:00 kernelcare | 951 B 00:00 kernelcare/primary | 2.7 kB 00:00 kernelcare 17/17 mod-spdy | 951 B 00:00 mod-spdy/primary | 1.1 kB 00:00 mod-spdy 1/1 remi | 2.9 kB 00:00 remi/primary_db | 1.0 MB 00:00 scl | 2.9 kB 00:00 scl/primary_db | 517 kB 00:00 updates | 3.4 kB 00:00 updates/primary_db | 5.3 MB 00:00 webtatic | 3.6 kB 00:00 webtatic/primary_db | 216 kB 00:00 Setting up Update Process No Packages marked for Update [root@system ~]# rpm -Uvh http://mirror.centos.org/centos/6.5/updates/x86_64/Packages/bash-4.1.2-15.el6_5.2.x86_64.rpm Retrieving http://mirror.centos.org/centos/6.5/updates/x86_64/Packages/bash-4.1.2-15.el6_5.2.x86_64.rpm Preparing... ########################################### [100%] package bash-4.1.2-15.el6_5.2.x86_64 is already installed [root@system ~]# yum list installed | grep bash bash.x86_64 4.1.2-15.el6_5.2 @updates [root@system ~]# Quote
Daniel B Posted September 26, 2014 Report Posted September 26, 2014 (I think InterWorx ran it for us) I think so too, just went through updating 8 servers, all of the interworx ones were already complete. Michael 1 Quote
Paul Posted September 26, 2014 Report Posted September 26, 2014 All patched up again today, after getting all patched up yesterday. If there's another patch to fix the previous patches I'm going to start drawing some parallels. Michael 1 Quote
astroroxy Posted September 29, 2014 Report Posted September 29, 2014 http://shellshockvuln.com from my colo provider. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.