Bash Vulnerability

B

battletoad

Expert Member
Joined
Mar 10, 2009
Messages
1,461
Reaction score
52
ArsTechnica said:
A security vulnerability in the GNU Bourne Again Shell (Bash), the command-line shell used in many Linux and Unix operating systems, could leave systems running those operating systems open to exploitation by specially crafted attacks. “This issue is especially dangerous as there are many possible ways Bash can be called by an application,” a Red Hat security advisory warned.

The bug, discovered by Stephane Schazelas, is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network–based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

Because of its wide distribution, the vulnerability could be as wide-ranging as the Heartbleed bug, though it may not be nearly as dangerous. The vulnerability affects versions 1.14 through 4.3 of GNU Bash. Patches have been issued by many of the major Linux distribution vendors for affected versions, including:

Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
CentOS (versions 5 through 7)
Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
Debian
...
More
...
Click to expand...

Time to start updating
 
Man. Am I glad I'm not at my old company anymore. Almost every pit mine in the world has a linux server running their system. And if that system crashes - day to day pit operations stop.
And it runs on a Fedora kernel - we never really upgraded it to the newest versions, too much hassle ('Hi there, do you mind if we reboot the server next shift change, its been up for 19 months').
Its going to be a busy day.
 
No patch for Fedora 20 as yet but my CentOS servers were vulnerable prior to running an update.
 
Looks like my systems are secure:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Click to expand...

I havent updated in a couple of weeks (Im procrastinating on a kernel update as that requires a reboot).

Running latest version of CentOS.
 
Compton_effect said:
Man. Am I glad I'm not at my old company anymore. Almost every pit mine in the world has a linux server running their system. And if that system crashes - day to day pit operations stop.
And it runs on a Fedora kernel - we never really upgraded it to the newest versions, too much hassle ('Hi there, do you mind if we reboot the server next shift change, its been up for 19 months').
Its going to be a busy day.
Click to expand...

No worries bruh Linux will never ever crash.

Don't know what **** this thread is about, but Linux has no vulnerabilities. It's ****ing ironclad, watertight and impenetrable.
 
Mac OS X on my machine is vulnerable, it would appear:
Code: 
Last login: Thu Sep 25 11:41:48 on ttys000
GregMBP:~ gregory$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
GregMBP:~ gregory$
 
GreGorGy said:
Mac OS X on my machine is vulnerable, it would appear:
Code: 
Last login: Thu Sep 25 11:41:48 on ttys000
GregMBP:~ gregory$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
GregMBP:~ gregory$
Click to expand...

I might need to test my WD MyCloud as well.
 
https://access.redhat.com/articles/1200223

Update: 2014-09-25 03:10 UTC

Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. Red Hat is working on patches in conjunction with the upstream developers as a critical priority. For details on a workaround, please see the FAQ below.

Red Hat advises customers to upgrade to the version of bash which contains the fix for CVE-2014-6271 and not wait for the patch which fixes CVE-2014-7169. CVE-2014-7169 is a less severe issue and patches for it are being worked on.
Click to expand...
 
Last edited:
One of the few times when you hear of major holes in linux systems. Like 1% of the holes in winblows
 
kianm said:
One of the few times when you hear of major holes in linux systems. Like 1% of the holes in winblows
Click to expand...

Its not really a Linux vulnerability. its a bash vulnerability.

Yes, it affects Linux and OS X more these os's are more likely to use bash, but bash is also used elsewhere such as win-bash, in routers and some unix variants, although most enterprise unix shops use ksh
 
zippy said:
Its not really a Linux vulnerability. its a bash vulnerability.

Yes, it affects Linux and OS X more these os's are more likely to use bash, but bash is also used elsewhere such as win-bash, in routers and some unix variants, although most enterprise unix shops use ksh
Click to expand...

Yes basically systems based on the Linux kernel

Edit: Thanks figured it's not kernel related
 
Last edited:
Interesting approach to taking them offline...freaking hell. It is just bash, most systems can patch that online just fine.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X