There is apparently a vulnerability in bash http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
Summary:
Vulnerability has been found where variables that control
the environment of the Linux system can be sent to the Bash application and
when the Bash application starts, the content of the variable will be executed.
This vulnerability allows a hacker to inject malicious code that the Bash
application will run without validation. In a worst case scenario, this can
allow the hacker to gain control of the system.
The bug lies in Bash's handling of environment variables: when assigning a function to a variable, trailing code in the function definition will be executed, leaving the door wide open for code-injection attacks. The vulnerability is exploitable remotely if code can be smuggled into environment variables sent over the network – and it's surprisingly easy to do so.
Systems Affected
The bug lies in Bash's handling of environment variables: when assigning a function to a variable, trailing code in the function definition will be executed, leaving the door wide open for code-injection attacks. The vulnerability is exploitable remotely if code can be smuggled into environment variables sent over the network – and it's surprisingly easy to do so.
Systems Affected
Linux (all OS versions containing Bash GNU 4.3 or earlier)
Mac OSX (v10.9.5 and earlier) NOTE: Not confirmed yet but suspected
Mac OSX (v10.9.5 and earlier) NOTE: Not confirmed yet but suspected
Freebsd running bash version <= 4.3
Test if your servers is vulnerable:
Execute the following code on bash shell
$
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
If you get the output “vulnerable” then your system is affected.
Installing update
Most of the distros already patched bash and released an
update, install the update using your distro package management system. A GNU Bashpatch is also available for experienced users and administrators to
implement.
I am running couple of latest Ubuntu (Trusty) virtual
machines, and when I checked they already released bash updates (4.3-7ubuntu1.1)
sudo apt-get update # Fetches the list of available updatessudo apt-get dist-upgrade # Installs updates
Test after installing update
# env x='() { :;}; echo vulnerable' bash -c "echo this is "
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Bravo the system is now patched and no more worries about
bash shellshock :)
No comments:
Post a Comment