|
Forum Announcements and Comments Announcements about forum changes will be made in this section. All new threads here now require moderator approval. |
|
Thread Tools |
25th Sep 2014, 2:43 pm | #1 |
Administrator
Join Date: Dec 2002
Location: Cardiff
Posts: 9,060
|
"Shellshock" security issue patched
This server has already been updated (during the overnight automatic updating) to fix the "Shell Shock" security issue with BASH that is causing media hype today.
http://www.bbc.co.uk/news/technology-29361794 http://www.theregister.co.uk/2014/09...sh_shell_vuln/ |
25th Sep 2014, 2:54 pm | #2 |
Guest
Posts: n/a
|
Re: "Shellshock" security issue patched
Thank you Paul for keeping us updated (and safe).
|
25th Sep 2014, 5:01 pm | #3 |
Moderator
Join Date: Jun 2003
Location: Oxford, UK
Posts: 27,787
|
Re: "Shellshock" security issue patched
Anyone reading about this in the media shouldn't be too concerned about their home systems. The bug concerns the Bash command interpreter ('shell' in Unixspeak), one of many available for Unix like systems. It isn't normally used for script execution on most modern systems, not because of security concerns but because it is relatively slow with a large memory footprint. It is the default command line shell for most Linux interactive sessions, but the bug shouldn't cause problems in that case.
I think Redhat still use bash for some script execution so they do have a particular problem, but they've already issued a fix. Any Linux derived from Debian should be reasonably safe. Ubuntu hasn't used bash for scripting since (I think) 6.04 (current version is 14.04). People should obviously apply the security updates to their Macs and Linux systems when they become available, but there's no need to panic. It's mostly an issue for servers running web hosting and databases. |
25th Sep 2014, 5:26 pm | #4 |
Administrator
Join Date: Dec 2002
Location: Cardiff
Posts: 9,060
|
Re: "Shellshock" security issue patched
From an update at the end of The Register report it seems that the Red Hat fix is not complete so there will probably be another update very soon.
This server runs CentOS which is basically Red Hat rebranded, and the cPanel/WHM hosting system checks for and installs updates every night so we should get them promptly. Of course if I'm notified of an update for this I'll run the updater straight away to get it ASAP. |
25th Sep 2014, 5:33 pm | #5 |
Moderator
Join Date: Jun 2003
Location: Oxford, UK
Posts: 27,787
|
Re: "Shellshock" security issue patched
Even if the forum server remains vulnerable, there should be no risk to forum users. The danger is that the server could be subverted and have malware installed, which could harvest data or participate in DDS attacks. The bad guys are very keen to subvert servers because they usually have very high bandwidth internet connections so can fire off a lot of data in a short time.
|
25th Sep 2014, 7:55 pm | #6 |
Dekatron
Join Date: Aug 2013
Location: Wigan, Greater Manchester, UK.
Posts: 9,427
|
Re: "Shellshock" security issue patched
I just wonder about home routers that may have remote access set and run bash, I think quite a few run Busybox and those that do will be OK.
The other thought is phones and laptops, if they connect to a compromised public WiFi they could have malware installed and bring that inside their home network. Perhaps I am being paranoid, cleaning up after a Nimda infection of a lot of computers many years ago probably left me this way! Frank |
25th Sep 2014, 8:01 pm | #7 |
Dekatron
Join Date: Nov 2003
Location: Heckmondwike, West Yorkshire, UK.
Posts: 9,637
|
Re: "Shellshock" security issue patched
It's probably co-incidental, but both Firefox and Thunderbird updated themselves today on both Windows and Linux.
One of the Linux updates referred to Bash, but it was a low rated one. |
25th Sep 2014, 8:09 pm | #8 |
Dekatron
Join Date: Aug 2013
Location: Wigan, Greater Manchester, UK.
Posts: 9,427
|
Re: "Shellshock" security issue patched
I would not expect a fix for Bash in Firefox/Thunderbird, the latest security fix was for an RSA problem with other bug fixes/enhancements.
https://www.mozilla.org/security/kno...s/firefox.html |
25th Sep 2014, 9:08 pm | #9 |
Moderator
Join Date: Jun 2003
Location: Oxford, UK
Posts: 27,787
|
Re: "Shellshock" security issue patched
I believe there is currently just a proof of concept exploit in existence rather than there being anything out there in the wild. Although the exploit is relatively simple, it requires some very carefully crafted stuff to execute it. You basically need to get a system script to load an environment variable with your malicious code and export it before forking a process, at which point the code in the variable will be executed. This will need a very detailed knowledge of the particular OS version being attacked.
Just logging in with a bash shell isn't a problem, as you already have a command line interface by definition. The idea of this exploit is to run software on a system to which you don't have command line access. |
26th Sep 2014, 8:41 am | #10 |
Administrator
Join Date: Dec 2002
Location: Cardiff
Posts: 9,060
|
Re: "Shellshock" security issue patched
Latest BASH update installed.
|
26th Sep 2014, 9:04 am | #11 |
Dekatron
Join Date: Aug 2013
Location: Wigan, Greater Manchester, UK.
Posts: 9,427
|
Re: "Shellshock" security issue patched
Thanks Paul,
according to this article it did not take long for the problems to start. http://www.itnews.com.au/News/396197...-networks.aspx Frank |
26th Sep 2014, 10:28 am | #12 |
Heptode
Join Date: Jul 2008
Location: Selby, North Yorkshire, UK.
Posts: 979
|
Re: "Shellshock" security issue patched
Anyone using Bash (or any Unix shell for that matter) to execute cgi-bin scripts for an internet facing website deserves all they get. It's been bad practice ever since cgi-bin methods were introduced in the early 1990s. Far better to use perl, php or even java for server side web site scripting as these are more limited in what they can do. The other vulnerability route is via SSH, but that requires authentication so it's less of an issue.
Also any internet facing Linux box should be using SELinux or AppArmor so that even if someone manages to run arbitrary commands in a Bash shell they can't actually achieve very much. But SELinux does take some work to get set up properly, so a lot of people don't bother. |
26th Sep 2014, 11:39 am | #13 | |
Moderator
Join Date: Jun 2003
Location: Oxford, UK
Posts: 27,787
|
Re: "Shellshock" security issue patched
Quote:
Any sysadmin that operates an internet facing server with 23 open is grossly incompetent and deserves to be sacked. |
|
26th Sep 2014, 11:40 am | #14 |
Nonode
Join Date: Oct 2008
Location: Warsaw, Poland and Cambridge, UK
Posts: 2,669
|
Re: "Shellshock" security issue patched
As I understand it, there are lots of places that Bash gets used incidentally or even unknowingly for things like setting environment variables even if it's not actually expected to run any commands. I may have got the wrong end of the stick, but I understood that even things like SSH servers may be at risk without authentication because there are circumstances under which they can be persuaded to set environment variables behind the scenes, thus opening up the possibility of running privileged commands via un-patched Bash.
I have one internet-facing machine running Linux which exposes only an SSH server which only accepts public key authentication, but I've gone to some lengths to patch Bash on it (it's running an older distribution so was non-trivial) because of this. Chris
__________________
What's going on in the workshop? http://martin-jones.com/ |
26th Sep 2014, 12:40 pm | #15 |
Administrator
Join Date: Dec 2002
Location: Cardiff
Posts: 9,060
|
Re: "Shellshock" security issue patched
That's the normal arrangement and is what I use; more secure than password authentication (though if you have a good password then the risk there is minimal). There is normally something in the firewall settings to block IP addresses for several hours after a certain number of failed login attempts too.
|
26th Sep 2014, 1:51 pm | #16 |
Dekatron
Join Date: May 2008
Location: Derby, UK.
Posts: 7,735
|
Re: "Shellshock" security issue patched
If you're using Bash for CGI scripting, then the chances are you won't be taking any notice of environment variables. (I consider myself a reasonable Bash programmer, but I know when it's better to use something else instead.) If you need to do anything with user input, you're more likely to be using a more sophisticated language such as Perl or Python.
An attacker would also have to craft their requests very carefully to make serious use of the potential exploit. The web server runs as a non-privileged user; but obviously it does need wide-ranging read access and an attacker will get the Source Code of scripts, which may include database passwords -- which have to be in plaintext for the script). (But you didn't store plaintext passwords in your database, did you?) If port 3306 is closed or restricted to certain IP addresses, it makes it harder for attackers to raid your database.
__________________
If I have seen further than others, it is because I was standing on a pile of failed experiments. |
26th Sep 2014, 2:15 pm | #17 |
Moderator
Join Date: Jun 2003
Location: Oxford, UK
Posts: 27,787
|
Re: "Shellshock" security issue patched
Media reports today have started to move away from yesterday's ill informed hysteria. It's very difficult for an attacker to exploit this bug over an internet connection.
The problem facing sysadmins running old unpatched versions of bash is there's no knowing where the vulnerabilities might be. Even if the OS defaults to using another shell like dash or ash for script execution, it's possible for a script to invoke bash explicitly because it needs to use some feature which is unique to bash (this is bad programming practice, but it happens). Although I've tended to play down this bug, I wouldn't use an unpatched system open to the internet. There's always the risk that some undetected vulnerability will emerge and bite you on the bum. |
26th Sep 2014, 2:54 pm | #18 | |
Dekatron
Join Date: May 2008
Location: Derby, UK.
Posts: 7,735
|
Re: "Shellshock" security issue patched
Quote:
__________________
If I have seen further than others, it is because I was standing on a pile of failed experiments. |
|
26th Sep 2014, 5:35 pm | #19 |
Moderator
Join Date: Jun 2003
Location: Oxford, UK
Posts: 27,787
|
Re: "Shellshock" security issue patched
|
26th Sep 2014, 6:56 pm | #20 |
Dekatron
Join Date: Aug 2011
Location: Newcastle, Tyne and Wear, UK.
Posts: 11,483
|
Re: "Shellshock" security issue patched
I haven't seen a lot of advice to casual users of Linux based home computers who seem to be assumed to know the intimate workings of their OS (really not so, in my case), but on my secondary desktop PC running Zorin OS 6 (Ubuntu based) and on my Raspberry Pis (Debian based) the initial bash update was available in the repositories (repos) last night, (25th September) and the updated update became available in the repos while I was out at work today (26th September).
In both cases (in a terminal or at the command line prompt) Code:
sudo apt-get update sudo apt-get install bash To see your current version before or after updating, Code:
dpkg -s bash | grep Version |