[Linux-aus] What's the real story about Shellshock and Bash and vulnerabilities in Linux and OpenSource?

Bret Busby bret at busby.net
Fri Sep 26 16:59:23 EST 2014 

On Fri, 26 Sep 2014, Ian wrote:

> Date: Fri, 26 Sep 2014 05:11:03
> From: Ian <ilox11 at gmail.com>
> To: LinuxSA <linuxsa at linuxsa.org.au>,
>     Linux Australia List <linux-aus at lists.linux.org.au>
> Subject: [Linux-aus] What's the real story about Shellshock and Bash and
>     vulnerabilities in Linux and OpenSource?
> 
> The journos are having a field day over the discovery of the
> vulnerabilities in Bash, the vulnerability now called Shellshock. They talk
> of 500million affected sites. Any Apache server is easily taken over. Some
> reporting that the patches not fully safe yet.
> http://www.bbc.com/news/technology-29361794
> "The new bug has turned the spotlight, once again, onto the reliance the
> technology industry has on products built and maintained by small teams
> often made up of volunteers."
> And even more fingers being pointed at the Open Source community,
> "That such key parts of everyday technology are maintained in this way is
> a cause for concern," said Tony Dyhouse from the UK's Trustworthy Security
> Initiative.
>
> "To achieve a more stable and secure technology environment in which
> businesses and individuals can feel truly safe, we have to peel back the
> layers, start at the bottom and work up," he said."This is utterly
> symptomatic of the historic neglect we have seen for the development of a
> dependable and trustworthy baseline upon which to develop a software
> infrastructure for the UK.
> "Ultimately, this is a lifecycle problem. It's here because people are
> making mistakes whilst writing code and making further mistakes when
> patching the original problems."
> "
> What is the real story? How vulnerable are our servers? Will the patches
> resolve the problem?
>
> Should there be a focus within the Linux world to track down all the little
> bits that make up the foundation of the software and making sure they are
> being maintained and secure and above all trusted? Perhaps LA or the next
> LCA could/should pick this up as a theme and be a leader in the open source
> world?
>
> -- 
> -- Ian
>

People should ignore the media bulls... and calmly do the proper thing, 
such as subscribing to the CERT advisories (everyone on this list, 
should already be subscribed), and, keep their systems updated.

Debian has, I believe, already provided the appropriate patch.

And, people should remember the principle that nothing is absolutely 
secure - if people are determined enough, and skilled or lucky enough, 
they can breach any security barrier. And, remember, the australian 
feral parliament had requested that the NSA monitor all electronic 
communications of everyone in Australia. So, you are not safe anyway. 
Some pervert in the USA administration, probably knows what size and 
colour underwear you wear, all of your sexual and medical history, and, 
all of your passwords. And, a while ago, the australian feral 
parliament passed legislation to authorise asio to enter anyone's 
computer and do whatever they want within the computer, and deny any 
knowledge or involvement in whatever they do and have done. Which means 
that, of the media reports that we encounter, of people found to have 
inappropriate material on their computers - child porn or "terrorist 
material" (lessons on how to play the bagpipes, etc), we have no idea as 
to how much of it was put there, intentionally or otherwise, by the 
computer user, and, how much was put there by asio. It is a bit like the 
justification for the invasion of Iraq - "We will find the weapons of 
mass destruction, even if we have to put them there, ourselves".

All we can do, is do the best that we can, to protect ourselves. That is 
life - whether it is what happens when we go outside our homes, or, when 
we use a computer or other electronic device.

See the message below.

--
Bret Busby
Armadale
West Australia
..............

"So once you do know what the question actually is,
  you'll know what the answer means."
- Deep Thought,
   Chapter 28 of Book 1 of
   "The Hitchhiker's Guide to the Galaxy:
   A Trilogy In Four Parts",
   written by Douglas Adams,
   published by Pan Books, 1992
....................................................

On Thu, 25 Sep 2014, US-CERT wrote:
> 
> Date: Fri, 26 Sep 2014 03:10:19
> From: US-CERT <US-CERT at ncas.us-cert.gov>
> Subject: TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)
> Parts/Attachments:
>    1 Shown   ~138 lines  Text (charset: Cp1252)
>    2   OK    ~213 lines  Text (charset: Cp1252)
> ----------------------------------------
> 
> NCCIC / US-CERT
> 
> National Cyber Awareness System:
> 
> TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169) [ https://www.us-cert.gov/ncas/alerts/TA14-268A ]
> 09/25/2014 12:56 PM EDT 
> Original release date: September 25, 2014
> 
> Systems Affected
>
>   * GNU Bash through 4.3.
>   * Linux, BSD, and UNIX distributions including but not limited to:
>   * CentOS [ http://lists.centos.org/pipermail/centos/2014-September/146099.html ] 5 through 7
>   * Debian [ https://lists.debian.org/debian-security-announce/2014/msg00220.html ]
>   * Mac OS X
>   * Red Hat Enterprise Linux 4 through 7
>   * Ubuntu [ http://www.ubuntu.com/usn/usn-2362-1/ ] 10.04 LTS, 12.04 LTS, and 14.04 LTS 
> 
> Overview
> 
> A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and
> Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the
> operating system [1] [ http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ ]. The United States
> Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability.
> 
> Description
> 
> GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing
> remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. [2 [
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 ], 3 [ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 ]]
> 
> Critical instances where the vulnerability may be exposed include: [4 [ https://access.redhat.com/security/cve/CVE-2014-6271 ], 5 [
> http://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ ]]
> 
>
>   * Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn subshells.
>   * Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and
> allows arbitrary command execution capabilities.
>   * Allow arbitrary commands to run on a DHCP client machine, various Daemons and SUID/privileged programs.
>   * Exploit servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts. 
> 
> Impact
> 
> This vulnerability is classified by industry standards as “High” impact with CVSS Impact Subscore 10 and “Low” on complexity, which means it takes little
> skill to perform. This flaw allows attackers to provide specially crafted environment variables containing arbitrary commands that can be executed on
> vulnerable systems. It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous
> ways.
> 
> Solution
> 
> Patches have been released to fix this vulnerability by major Linux vendors for affected versions. Solutions for CVE-2014-6271 do not completely resolve the
> vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-7169.
> 
> Many UNIX-like operating systems, including Linux distributions, BSD variants, and Apple Mac OS X include Bash and are likely to be affected. Contact your
> vendor for updated information. A list of vendors can be found in CERT Vulnerability Note VU#252743 [ http://www.kb.cert.org/vuls/id/252743 ] [6] [
> http://www.kb.cert.org/vuls/id/252743 ].
> 
> US-CERT recommends system administrators review the vendor patches and the NIST Vulnerability Summary for CVE-2014-7169 [
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 ], to mitigate damage caused by the exploit.
> 
> References
>
>   * Ars Technica, Bug in Bash shell creates big security hole on anything with *nix in it;  [
> http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ ]
>   * DHS NCSD; Vulnerability Summary for CVE-2014-6271 [ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 ]
>   * DHS NCSD; Vulnerability Summary for CVE-2014-7169 [ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 ]
>   * Red Hat, CVE-2014-6271  [ https://access.redhat.com/security/cve/CVE-2014-6271 ]
>   * Red Hat, Bash specially-crafted environment variables code injection attack [
> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ ]
>   * CERT Vulnerability Note VU#252743 [ http://www.kb.cert.org/vuls/id/252743 ] 
> 
> Revision History
>
>   * September 25, 2014 - Initial Release 
> ________________________________________________________________________
> 
> This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy & Use [
> http://www.us-cert.gov/privacy/ ] policy.
> 
> ________________________________________________________________________
> 
> OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ http://www.us-cert.gov/security-publications ] | Alerts and
> Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ http://www.us-cert.gov/related-resources ] 
> 
> STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ] 
> 
> SUBSCRIBER SERVICES:
> Help [ https://subscriberhelp.govdelivery.com/ ]
> 
> ________________________________________________________________________
> 
> 
> 
....................................................

More information about the linux-aus mailing list