Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: ntblade on September 25, 2014, 10:07:28 PM
-
Just a heads up:
Hi all,
I'm sure you've all heard about this by now. I ran this:[root@xxxxxxxx ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
[root@xxxxxxxx ~]#
on an 8.1 machine then after yum -y update and reboot[root@xxxxxxxx ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
So patched bash was installed.
NTB
-
Only mysql root and have a bash shell.
I'm not entirely sure if this reduces the possibility of attacks against a web server through this "feature", but I think so.
Maurizio
-
An older installation SME 7.5 also have
smtpd: .....::/home/smtpd:/bin/bash
I have doubt if this may be a vector of attack
Maurizio
-
So patched bash was installed.
There is no patch, there was a new RPM released by the upstream sources which can be installed by a 'yum update'.
But the vulnerability has not yet been resolved.
See: http://forums.contribs.org/index.php/topic,51137.0.html
[update]
New RPM released by upstream, see above post.
-
Only mysql root and have a bash shell.
I'm not entirely sure if this reduces the possibility of attacks against a web server through this "feature", but I think so.
No, that is entirely irrelevant.
The threat via a web server only exists if the server has cgi-scripts, as the interface between the web server and CGI is via environment variables, the content of which is under the control of the attacker - e.g. HTTP_USER_AGENT is set by the User_Agent header in the http request.
Any CGI script written in bash (or shell) is immediately vulnerable. But most systems don't have those.
Some CGI scripts written in perl and python will be vulnerable and some not. If they don't call any sub-commands, then they are not vulnerable. If they call subcommands directly, without invoking the shell, then they are OK.
So this in python is OK:
from subprocess import call
call(["ls", "-l"])
and in perl this is OK:
system("ls", "-l");
But scripts containing any of these will be exploitable:
os.system("ls -l")
my $rc = system("ls -l")
my $rc = `ls -l`;
The first of those is python, the other two perl. They are all exploitable because bash is invoked to parse the command line, and the environment variables set by apache as part of the CGI environment still exist.
The other area where SME server might be vulnerable until bash is updated is via dhclient. If a WAN connection exists, and DHCP is used for IP allocation, then the system could be compromised via a malicious DHCP server on the WAN network segment (e.g. the ISP's network segment connecting you to them).
-
An older installation SME 7.5 also have
smtpd: .....::/home/smtpd:/bin/bash
It's not an attack vector.
Anyone still running SME7.x can do this:
rpm -Uhv http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.1.el4.i386.rpm
-
Thanks Charly for your explanation and link .... patched.
-
Anyone still running SME7.x can do this:
rpm -Uhv http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.1.el4.i386.rpm
Looks like http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.2.el4.i386.rpm is available
-
Thanks John. I cut and pasted wrong link.
-
Just to follow up
Looks like http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.3.el4.i386.rpm is available
-
As an aside it is odd that RHEL4 / CentOS 4 /SME 7 are now 'End of Life' and therefore 'unsupported' but there are patched bash releases available :-)
For those running SME 7.x it is a reminder that you should really upgrade to SME v8 or v9 (regardless of issues with bash)