UK Vintage Radio Repair and Restoration Powered By Google Custom Search Vintage Radio and TV Service Data

Go Back   UK Vintage Radio Repair and Restoration Discussion Forum > Other Discussions > Forum Announcements and Comments

Notices

Forum Announcements and Comments Announcements about forum changes will be made in this section. All new threads here now require moderator approval.

Closed Thread
 
Thread Tools
Old 25th Sep 2014, 2:43 pm   #1
Paul Stenning
Administrator
 
Paul Stenning's Avatar
 
Join Date: Dec 2002
Location: Cardiff
Posts: 9,060
Default "Shellshock" security issue patched

This server has already been updated (during the overnight automatic updating) to fix the "Shell Shock" security issue with BASH that is causing media hype today.

http://www.bbc.co.uk/news/technology-29361794

http://www.theregister.co.uk/2014/09...sh_shell_vuln/
__________________

Paul Stenning
Forum Admin/Owner and BVWS Webmaster
Paul Stenning is online now  
Old 25th Sep 2014, 2:54 pm   #2
Guest
Guest
 
Posts: n/a
Default Re: "Shellshock" security issue patched

Thank you Paul for keeping us updated (and safe).
 
Old 25th Sep 2014, 5:01 pm   #3
paulsherwin
Moderator
 
paulsherwin's Avatar
 
Join Date: Jun 2003
Location: Oxford, UK
Posts: 27,787
Default Re: "Shellshock" security issue patched

Anyone reading about this in the media shouldn't be too concerned about their home systems. The bug concerns the Bash command interpreter ('shell' in Unixspeak), one of many available for Unix like systems. It isn't normally used for script execution on most modern systems, not because of security concerns but because it is relatively slow with a large memory footprint. It is the default command line shell for most Linux interactive sessions, but the bug shouldn't cause problems in that case.

I think Redhat still use bash for some script execution so they do have a particular problem, but they've already issued a fix. Any Linux derived from Debian should be reasonably safe. Ubuntu hasn't used bash for scripting since (I think) 6.04 (current version is 14.04).

People should obviously apply the security updates to their Macs and Linux systems when they become available, but there's no need to panic. It's mostly an issue for servers running web hosting and databases.
paulsherwin is online now  
Old 25th Sep 2014, 5:26 pm   #4
Paul Stenning
Administrator
 
Paul Stenning's Avatar
 
Join Date: Dec 2002
Location: Cardiff
Posts: 9,060
Default Re: "Shellshock" security issue patched

From an update at the end of The Register report it seems that the Red Hat fix is not complete so there will probably be another update very soon.

This server runs CentOS which is basically Red Hat rebranded, and the cPanel/WHM hosting system checks for and installs updates every night so we should get them promptly. Of course if I'm notified of an update for this I'll run the updater straight away to get it ASAP.
__________________

Paul Stenning
Forum Admin/Owner and BVWS Webmaster
Paul Stenning is online now  
Old 25th Sep 2014, 5:33 pm   #5
paulsherwin
Moderator
 
paulsherwin's Avatar
 
Join Date: Jun 2003
Location: Oxford, UK
Posts: 27,787
Default Re: "Shellshock" security issue patched

Even if the forum server remains vulnerable, there should be no risk to forum users. The danger is that the server could be subverted and have malware installed, which could harvest data or participate in DDS attacks. The bad guys are very keen to subvert servers because they usually have very high bandwidth internet connections so can fire off a lot of data in a short time.
paulsherwin is online now  
Old 25th Sep 2014, 7:55 pm   #6
Nuvistor
Dekatron
 
Nuvistor's Avatar
 
Join Date: Aug 2013
Location: Wigan, Greater Manchester, UK.
Posts: 9,427
Default Re: "Shellshock" security issue patched

I just wonder about home routers that may have remote access set and run bash, I think quite a few run Busybox and those that do will be OK.
The other thought is phones and laptops, if they connect to a compromised public WiFi they could have malware installed and bring that inside their home network.
Perhaps I am being paranoid, cleaning up after a Nimda infection of a lot of computers many years ago probably left me this way!
Frank
Nuvistor is offline  
Old 25th Sep 2014, 8:01 pm   #7
AC/HL
Dekatron
 
AC/HL's Avatar
 
Join Date: Nov 2003
Location: Heckmondwike, West Yorkshire, UK.
Posts: 9,637
Default Re: "Shellshock" security issue patched

It's probably co-incidental, but both Firefox and Thunderbird updated themselves today on both Windows and Linux.
One of the Linux updates referred to Bash, but it was a low rated one.
AC/HL is offline  
Old 25th Sep 2014, 8:09 pm   #8
Nuvistor
Dekatron
 
Nuvistor's Avatar
 
Join Date: Aug 2013
Location: Wigan, Greater Manchester, UK.
Posts: 9,427
Default Re: "Shellshock" security issue patched

I would not expect a fix for Bash in Firefox/Thunderbird, the latest security fix was for an RSA problem with other bug fixes/enhancements.
https://www.mozilla.org/security/kno...s/firefox.html
Nuvistor is offline  
Old 25th Sep 2014, 9:08 pm   #9
paulsherwin
Moderator
 
paulsherwin's Avatar
 
Join Date: Jun 2003
Location: Oxford, UK
Posts: 27,787
Default Re: "Shellshock" security issue patched

I believe there is currently just a proof of concept exploit in existence rather than there being anything out there in the wild. Although the exploit is relatively simple, it requires some very carefully crafted stuff to execute it. You basically need to get a system script to load an environment variable with your malicious code and export it before forking a process, at which point the code in the variable will be executed. This will need a very detailed knowledge of the particular OS version being attacked.

Just logging in with a bash shell isn't a problem, as you already have a command line interface by definition. The idea of this exploit is to run software on a system to which you don't have command line access.
paulsherwin is online now  
Old 26th Sep 2014, 8:41 am   #10
Paul Stenning
Administrator
 
Paul Stenning's Avatar
 
Join Date: Dec 2002
Location: Cardiff
Posts: 9,060
Default Re: "Shellshock" security issue patched

Quote:
Originally Posted by Paul Stenning View Post
From an update at the end of The Register report it seems that the Red Hat fix is not complete so there will probably be another update very soon.
Latest BASH update installed.
__________________

Paul Stenning
Forum Admin/Owner and BVWS Webmaster
Paul Stenning is online now  
Old 26th Sep 2014, 9:04 am   #11
Nuvistor
Dekatron
 
Nuvistor's Avatar
 
Join Date: Aug 2013
Location: Wigan, Greater Manchester, UK.
Posts: 9,427
Default Re: "Shellshock" security issue patched

Thanks Paul,
according to this article it did not take long for the problems to start.
http://www.itnews.com.au/News/396197...-networks.aspx
Frank
Nuvistor is offline  
Old 26th Sep 2014, 10:28 am   #12
richrussell
Heptode
 
richrussell's Avatar
 
Join Date: Jul 2008
Location: Selby, North Yorkshire, UK.
Posts: 979
Default Re: "Shellshock" security issue patched

Anyone using Bash (or any Unix shell for that matter) to execute cgi-bin scripts for an internet facing website deserves all they get. It's been bad practice ever since cgi-bin methods were introduced in the early 1990s. Far better to use perl, php or even java for server side web site scripting as these are more limited in what they can do. The other vulnerability route is via SSH, but that requires authentication so it's less of an issue.

Also any internet facing Linux box should be using SELinux or AppArmor so that even if someone manages to run arbitrary commands in a Bash shell they can't actually achieve very much. But SELinux does take some work to get set up properly, so a lot of people don't bother.
richrussell is offline  
Old 26th Sep 2014, 11:39 am   #13
paulsherwin
Moderator
 
paulsherwin's Avatar
 
Join Date: Jun 2003
Location: Oxford, UK
Posts: 27,787
Default Re: "Shellshock" security issue patched

Quote:
Originally Posted by Nuvistor View Post
according to this article it did not take long for the problems to start.
http://www.itnews.com.au/News/396197...-networks.aspx
It's not clear from that article that this is actually a Shellshock attack, despite the assertion. It sounds more like a brute force attack on anything with port 23 (telnet) open.

Any sysadmin that operates an internet facing server with 23 open is grossly incompetent and deserves to be sacked.
paulsherwin is online now  
Old 26th Sep 2014, 11:40 am   #14
cmjones01
Nonode
 
Join Date: Oct 2008
Location: Warsaw, Poland and Cambridge, UK
Posts: 2,669
Default Re: "Shellshock" security issue patched

As I understand it, there are lots of places that Bash gets used incidentally or even unknowingly for things like setting environment variables even if it's not actually expected to run any commands. I may have got the wrong end of the stick, but I understood that even things like SSH servers may be at risk without authentication because there are circumstances under which they can be persuaded to set environment variables behind the scenes, thus opening up the possibility of running privileged commands via un-patched Bash.

I have one internet-facing machine running Linux which exposes only an SSH server which only accepts public key authentication, but I've gone to some lengths to patch Bash on it (it's running an older distribution so was non-trivial) because of this.

Chris
__________________
What's going on in the workshop? http://martin-jones.com/
cmjones01 is offline  
Old 26th Sep 2014, 12:40 pm   #15
Paul Stenning
Administrator
 
Paul Stenning's Avatar
 
Join Date: Dec 2002
Location: Cardiff
Posts: 9,060
Default Re: "Shellshock" security issue patched

Quote:
Originally Posted by cmjones01 View Post
I have one internet-facing machine running Linux which exposes only an SSH server which only accepts public key authentication....
That's the normal arrangement and is what I use; more secure than password authentication (though if you have a good password then the risk there is minimal). There is normally something in the firewall settings to block IP addresses for several hours after a certain number of failed login attempts too.
__________________

Paul Stenning
Forum Admin/Owner and BVWS Webmaster
Paul Stenning is online now  
Old 26th Sep 2014, 1:51 pm   #16
julie_m
Dekatron
 
Join Date: May 2008
Location: Derby, UK.
Posts: 7,735
Default Re: "Shellshock" security issue patched

If you're using Bash for CGI scripting, then the chances are you won't be taking any notice of environment variables. (I consider myself a reasonable Bash programmer, but I know when it's better to use something else instead.) If you need to do anything with user input, you're more likely to be using a more sophisticated language such as Perl or Python.

An attacker would also have to craft their requests very carefully to make serious use of the potential exploit. The web server runs as a non-privileged user; but obviously it does need wide-ranging read access and an attacker will get the Source Code of scripts, which may include database passwords -- which have to be in plaintext for the script). (But you didn't store plaintext passwords in your database, did you?) If port 3306 is closed or restricted to certain IP addresses, it makes it harder for attackers to raid your database.
__________________
If I have seen further than others, it is because I was standing on a pile of failed experiments.
julie_m is offline  
Old 26th Sep 2014, 2:15 pm   #17
paulsherwin
Moderator
 
paulsherwin's Avatar
 
Join Date: Jun 2003
Location: Oxford, UK
Posts: 27,787
Default Re: "Shellshock" security issue patched

Media reports today have started to move away from yesterday's ill informed hysteria. It's very difficult for an attacker to exploit this bug over an internet connection.

The problem facing sysadmins running old unpatched versions of bash is there's no knowing where the vulnerabilities might be. Even if the OS defaults to using another shell like dash or ash for script execution, it's possible for a script to invoke bash explicitly because it needs to use some feature which is unique to bash (this is bad programming practice, but it happens).

Although I've tended to play down this bug, I wouldn't use an unpatched system open to the internet. There's always the risk that some undetected vulnerability will emerge and bite you on the bum.
paulsherwin is online now  
Old 26th Sep 2014, 2:54 pm   #18
julie_m
Dekatron
 
Join Date: May 2008
Location: Derby, UK.
Posts: 7,735
Default Re: "Shellshock" security issue patched

Quote:
Originally Posted by paulsherwin View Post
it's possible for a script to invoke bash explicitly because it needs to use some feature which is unique to bash (this is bad programming practice, but it happens).
I wouldn't call relying on Bash features bad practice. After all, it's the de facto standard shell on GNU systems; and many sysadmins on proprietary UNIX systems such as Solaris tend to install at least some of the (generally more capable) GNU userland utilities. If a Bash extension is needed by a particular script, why shouldn't you use the best tool for the job?
Quote:
Originally Posted by paulsherwin View Post
Although I've tended to play down this bug, I wouldn't use an unpatched system open to the internet. There's always the risk that some undetected vulnerability will emerge and bite you on the bum.
Well, quite. This is where "conservative" distributions such as Debian and CentOS excel -- they backport security fixes to older, established versions wherever possible. If you want shiny new everything as soon as it's ready, run Fedora -- or even Gentoo, if you don't mind learning some internals. But if you want a server that just works, run Debian or CentOS and update regularly.
__________________
If I have seen further than others, it is because I was standing on a pile of failed experiments.
julie_m is offline  
Old 26th Sep 2014, 5:35 pm   #19
paulsherwin
Moderator
 
paulsherwin's Avatar
 
Join Date: Jun 2003
Location: Oxford, UK
Posts: 27,787
Default Re: "Shellshock" security issue patched

Quote:
Originally Posted by ajs_derby View Post
I wouldn't call relying on Bash features bad practice.
Perhaps 'bad practice' was a bit strong, but system scripts should really be written to use the Bourne shell, for compatibility reasons if nothing else.
paulsherwin is online now  
Old 26th Sep 2014, 6:56 pm   #20
SiriusHardware
Dekatron
 
Join Date: Aug 2011
Location: Newcastle, Tyne and Wear, UK.
Posts: 11,483
Default Re: "Shellshock" security issue patched

Quote:
Originally Posted by Paul Stenning View Post
Latest BASH update installed.
I haven't seen a lot of advice to casual users of Linux based home computers who seem to be assumed to know the intimate workings of their OS (really not so, in my case), but on my secondary desktop PC running Zorin OS 6 (Ubuntu based) and on my Raspberry Pis (Debian based) the initial bash update was available in the repositories (repos) last night, (25th September) and the updated update became available in the repos while I was out at work today (26th September).

In both cases (in a terminal or at the command line prompt)

Code:
sudo apt-get update
sudo apt-get install bash
...fetched and over-installed any available later version of bash.

To see your current version before or after updating,

Code:
dpkg -s bash | grep Version
..(note the capital 'V' in 'Version').
SiriusHardware is online now  
Closed Thread

Thread Tools



All times are GMT +1. The time now is 7:20 pm.


All information and advice on this forum is subject to the WARNING AND DISCLAIMER located at https://www.vintage-radio.net/rules.html.
Failure to heed this warning may result in death or serious injury to yourself and/or others.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Copyright ©2002 - 2023, Paul Stenning.