[Linux-aus] What's the real story about Shellshock and Bash and vulnerabilities in Linux and OpenSource?

Steve Dalton steve at refactor.com.au
Fri Sep 26 17:17:53 EST 2014 

I talked about it constructively with some people at my current client
today (a large financial institution).

[Incidentally it was nice to see that all the servers I had access to
had been patched already. They are Redhat shop - so I'm guessing a lot
of this happened quite seamlessly.]

Talked at our standup-meeting about the good side of this (how FLOSS
works in general and how people come together at times like this). I
used this FSF press release for a bit of inspiration

http://www.fsf.org/news/free-software-foundation-statement-on-the-gnu-bash-shellshock-vulnerability

I think as members of the community it's important that we try to
educate our colleagues and combat the FUD that inevitably happens when
things like this come up.

Thanks for the link to CERT Bret.

On Fri, Sep 26, 2014 at 4:59 PM, Bret Busby <bret at busby.net> wrote:
> On Fri, 26 Sep 2014, Ian wrote:
>
>> Date: Fri, 26 Sep 2014 05:11:03
>> From: Ian <ilox11 at gmail.com>
>> To: LinuxSA <linuxsa at linuxsa.org.au>,
>>     Linux Australia List <linux-aus at lists.linux.org.au>
>> Subject: [Linux-aus] What's the real story about Shellshock and Bash and
>>     vulnerabilities in Linux and OpenSource?
>>
>> The journos are having a field day over the discovery of the
>> vulnerabilities in Bash, the vulnerability now called Shellshock. They
>> talk
>> of 500million affected sites. Any Apache server is easily taken over. Some
>> reporting that the patches not fully safe yet.
>> http://www.bbc.com/news/technology-29361794
>> "The new bug has turned the spotlight, once again, onto the reliance the
>> technology industry has on products built and maintained by small teams
>> often made up of volunteers."
>> And even more fingers being pointed at the Open Source community,
>> "That such key parts of everyday technology are maintained in this way is
>> a cause for concern," said Tony Dyhouse from the UK's Trustworthy Security
>> Initiative.
>>
>> "To achieve a more stable and secure technology environment in which
>> businesses and individuals can feel truly safe, we have to peel back the
>> layers, start at the bottom and work up," he said."This is utterly
>> symptomatic of the historic neglect we have seen for the development of a
>> dependable and trustworthy baseline upon which to develop a software
>> infrastructure for the UK.
>> "Ultimately, this is a lifecycle problem. It's here because people are
>> making mistakes whilst writing code and making further mistakes when
>> patching the original problems."
>> "
>> What is the real story? How vulnerable are our servers? Will the patches
>> resolve the problem?
>>
>> Should there be a focus within the Linux world to track down all the
>> little
>> bits that make up the foundation of the software and making sure they are
>> being maintained and secure and above all trusted? Perhaps LA or the next
>> LCA could/should pick this up as a theme and be a leader in the open
>> source
>> world?
>>
>> --
>> -- Ian
>>
>
> People should ignore the media bulls... and calmly do the proper thing, such
> as subscribing to the CERT advisories (everyone on this list, should already
> be subscribed), and, keep their systems updated.
>
> Debian has, I believe, already provided the appropriate patch.
>
> And, people should remember the principle that nothing is absolutely secure
> - if people are determined enough, and skilled or lucky enough, they can
> breach any security barrier. And, remember, the australian feral parliament
> had requested that the NSA monitor all electronic communications of everyone
> in Australia. So, you are not safe anyway. Some pervert in the USA
> administration, probably knows what size and colour underwear you wear, all
> of your sexual and medical history, and, all of your passwords. And, a while
> ago, the australian feral parliament passed legislation to authorise asio to
> enter anyone's computer and do whatever they want within the computer, and
> deny any knowledge or involvement in whatever they do and have done. Which
> means that, of the media reports that we encounter, of people found to have
> inappropriate material on their computers - child porn or "terrorist
> material" (lessons on how to play the bagpipes, etc), we have no idea as to
> how much of it was put there, intentionally or otherwise, by the computer
> user, and, how much was put there by asio. It is a bit like the
> justification for the invasion of Iraq - "We will find the weapons of mass
> destruction, even if we have to put them there, ourselves".
>
> All we can do, is do the best that we can, to protect ourselves. That is
> life - whether it is what happens when we go outside our homes, or, when we
> use a computer or other electronic device.
>
> See the message below.
>
> --
> Bret Busby
> Armadale
> West Australia
> ..............
>
> "So once you do know what the question actually is,
>  you'll know what the answer means."
> - Deep Thought,
>   Chapter 28 of Book 1 of
>   "The Hitchhiker's Guide to the Galaxy:
>   A Trilogy In Four Parts",
>   written by Douglas Adams,
>   published by Pan Books, 1992
> ....................................................
>
> On Thu, 25 Sep 2014, US-CERT wrote:
>>
>>
>> Date: Fri, 26 Sep 2014 03:10:19
>> From: US-CERT <US-CERT at ncas.us-cert.gov>
>> Subject: TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’
>> Vulnerability (CVE-2014-6271,CVE-2014-7169)
>> Parts/Attachments:
>>    1 Shown   ~138 lines  Text (charset: Cp1252)
>>    2   OK    ~213 lines  Text (charset: Cp1252)
>> ----------------------------------------
>>
>> NCCIC / US-CERT
>>
>> National Cyber Awareness System:
>>
>> TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability
>> (CVE-2014-6271,CVE-2014-7169) [
>> https://www.us-cert.gov/ncas/alerts/TA14-268A ]
>> 09/25/2014 12:56 PM EDT Original release date: September 25, 2014
>>
>> Systems Affected
>>
>>   * GNU Bash through 4.3.
>>   * Linux, BSD, and UNIX distributions including but not limited to:
>>   * CentOS [
>> http://lists.centos.org/pipermail/centos/2014-September/146099.html ] 5
>> through 7
>>   * Debian [
>> https://lists.debian.org/debian-security-announce/2014/msg00220.html ]
>>   * Mac OS X
>>   * Red Hat Enterprise Linux 4 through 7
>>   * Ubuntu [ http://www.ubuntu.com/usn/usn-2362-1/ ] 10.04 LTS, 12.04 LTS,
>> and 14.04 LTS
>> Overview
>>
>> A critical vulnerability has been reported in the GNU Bourne Again Shell
>> (Bash), the common command-line shell used in most Linux/UNIX operating
>> systems and
>> Apple’s Mac OS X. The flaw could allow an attacker to remotely execute
>> shell commands by attaching malicious code in environment variables used by
>> the
>> operating system [1] [
>> http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
>> ]. The United States
>> Department of Homeland Security (DHS) is releasing this Technical Alert to
>> provide further information about the GNU Bash vulnerability.
>>
>> Description
>>
>> GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands
>> placed after function definitions in the added environment variable,
>> allowing
>> remote attackers to execute arbitrary code via a crafted environment which
>> enables network-based exploitation. [2 [
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 ], 3 [
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 ]]
>>
>> Critical instances where the vulnerability may be exposed include: [4 [
>> https://access.redhat.com/security/cve/CVE-2014-6271 ], 5 [
>>
>> http://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
>> ]]
>>
>>
>>   * Apache HTTP Server using mod_cgi or mod_cgid scripts either written in
>> bash, or spawn subshells.
>>   * Override or Bypass ForceCommand feature in OpenSSH sshd and limited
>> protection for some Git and Subversion deployments used to restrict shells
>> and
>> allows arbitrary command execution capabilities.
>>   * Allow arbitrary commands to run on a DHCP client machine, various
>> Daemons and SUID/privileged programs.
>>   * Exploit servers and other Unix and Linux devices via Web requests,
>> secure shell, telnet sessions, or other programs that use Bash to execute
>> scripts.
>> Impact
>>
>> This vulnerability is classified by industry standards as “High” impact
>> with CVSS Impact Subscore 10 and “Low” on complexity, which means it takes
>> little
>> skill to perform. This flaw allows attackers to provide specially crafted
>> environment variables containing arbitrary commands that can be executed on
>> vulnerable systems. It is especially dangerous because of the prevalent
>> use of the Bash shell and its ability to be called by an application in
>> numerous
>> ways.
>>
>> Solution
>>
>> Patches have been released to fix this vulnerability by major Linux
>> vendors for affected versions. Solutions for CVE-2014-6271 do not completely
>> resolve the
>> vulnerability. It is advised to install existing patches and pay attention
>> for updated patches to address CVE-2014-7169.
>>
>> Many UNIX-like operating systems, including Linux distributions, BSD
>> variants, and Apple Mac OS X include Bash and are likely to be affected.
>> Contact your
>> vendor for updated information. A list of vendors can be found in CERT
>> Vulnerability Note VU#252743 [ http://www.kb.cert.org/vuls/id/252743 ] [6] [
>> http://www.kb.cert.org/vuls/id/252743 ].
>>
>> US-CERT recommends system administrators review the vendor patches and the
>> NIST Vulnerability Summary for CVE-2014-7169 [
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 ], to
>> mitigate damage caused by the exploit.
>>
>> References
>>
>>   * Ars Technica, Bug in Bash shell creates big security hole on anything
>> with *nix in it;  [
>>
>> http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
>> ]
>>   * DHS NCSD; Vulnerability Summary for CVE-2014-6271 [
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 ]
>>   * DHS NCSD; Vulnerability Summary for CVE-2014-7169 [
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 ]
>>   * Red Hat, CVE-2014-6271  [
>> https://access.redhat.com/security/cve/CVE-2014-6271 ]
>>   * Red Hat, Bash specially-crafted environment variables code injection
>> attack [
>>
>> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
>> ]
>>   * CERT Vulnerability Note VU#252743 [
>> http://www.kb.cert.org/vuls/id/252743 ]
>> Revision History
>>
>>   * September 25, 2014 - Initial Release
>> ________________________________________________________________________
>>
>> This product is provided subject to this Notification [
>> http://www.us-cert.gov/privacy/notification ] and this Privacy & Use [
>> http://www.us-cert.gov/privacy/ ] policy.
>>
>> ________________________________________________________________________
>>
>> OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] |
>> Security Publications [ http://www.us-cert.gov/security-publications ] |
>> Alerts and
>> Tips [ http://www.us-cert.gov/ncas ] | Related Resources [
>> http://www.us-cert.gov/related-resources ]
>> STAY CONNECTED: Sign up for email updates [
>> http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]
>> SUBSCRIBER SERVICES:
>> Help [ https://subscriberhelp.govdelivery.com/ ]
>>
>> ________________________________________________________________________
>>
>>
>>
> ....................................................
> _______________________________________________
> linux-aus mailing list
> linux-aus at lists.linux.org.au
> http://lists.linux.org.au/listinfo/linux-aus
>



-- 
Refactor. Engage | Succeed | Repeat
tel: +61 (0)7 5668 3424
mob: +61 (0)414 464564
web: refactor.com.au

More information about the linux-aus mailing list