|
Size: 6018
Comment: more summary
|
← Revision 18 as of 2014-10-09 20:04:09 ⇥
Size: 6951
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| Line 12: | Line 11: |
| Other potential problems (parser bugs) were identified during the investigation, but are considered separate from the Shellshock bug. These bugs have no remote exploits (so far as we know). As of September 30, 2014 there are no official patches for these bugs. If you are concerned by them, you can try to translate Red Hat's unofficial patches to your version of Bash. | Other potential problems (parser bugs) were identified during the investigation, but are considered separate from the Shellshock bug. These bugs have no remote exploits (so far as we know). These bugs are currently being patched as well, albeit with less urgency. ||||||<style="text-align:center">'''Vulnerability Patches''' || ||[[http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025|bash43-025]] ||[[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271|CVE-2014-6271]] ||2014-09-24 || ||[[http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-026|bash43-026]] ||[[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169|CVE-2014-7169]] ||2014-09-26 || ||[[http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027|bash43-027]] ||[[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278|CVE-2014-6278]] ||2014-09-27 || ||[[http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-028|bash43-028]] ||[[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186|CVE-2014-7186]] and [[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187|CVE-2014-7187]] ||2014-10-01 || ||[[http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-029|bash43-029]] ||[[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277|CVE-2014-6277]] ||2014-10-02 || |
| Line 15: | Line 23: |
Your OS should have patched bash by now, but maybe you have multiple binaries installed (some by the OS, some by other means) and want to check that all of them are safe. You can copy/paste the following snippet into a terminal emulator running bash or some other posix compliant shell. |
Your OS should have patched bash by now, but maybe you have multiple binaries installed (some by the OS, some by other means) and want to check that all of them are safe. You can copy/paste the following snippet into a terminal emulator running bash or some other posix compliant shell. |
| Line 26: | Line 33: |
| The output will look something like this: | |
| Line 27: | Line 35: |
| The output will look something like this: | |
| Line 34: | Line 41: |
| Line 37: | Line 43: |
| A more comprehensive script called [[https://github.com/hannob/bashcheck|bashcheck]] is available. In addition to the two above mentioned vulnerabilities, it is able to test for a few others that have since been discovered. Note, however, that these additional vulnerabilities are distinct from Shellshock and are not currently known to be exploitable. At the time of writing, the latest version of bash - bash43-027 - does not have a fix for CVE-2014-7186 (the redir_stack bug). | A more comprehensive script called [[https://github.com/hannob/bashcheck|bashcheck]] is available. In addition to the two above mentioned vulnerabilities, it is able to test for a few others that have since been discovered. Note, however, that these additional vulnerabilities are distinct from Shellshock and are not currently known to be exploitable. |
| Line 39: | Line 45: |
| After things stabilize a bit, this FAQ page should be updated with a better summary. For information about specific vulnerabilities related to Shellshock, you may find better results by searching for terms such as "CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", or "CVE-2014-7187". |
=== Further reading === After things stabilize a bit, this FAQ page should be updated with a better summary. For information about specific vulnerabilities related to Shellshock, you may find better results by searching for terms such as "CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", or "CVE-2014-7187". |
| Line 45: | Line 48: |
| In the meantime, here are a few links that should help you get started: |
In the meantime, here are a few links that should help you get started: |
| Line 48: | Line 50: |
| * [[http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/|ZDNet: the latest patches do fix all known Shellshock issues]] | * [[http://www.dwheeler.com/essays/shellshock.html|Summary and timeline by David A. Wheeler, a security researcher working on Shellshock]] * [[https://shellshocker.net/|"shellshocker.net", an online tool for testing if a system is vulnerable]] |
| Line 51: | Line 54: |
| * [[https://shellshocker.net/|"shellshocker.net", and online tool for testing if a system is vulnerable]] * [[https://access.redhat.com/articles/1200223|Summary article from RedHat on how to determine if a system is vulnerable]] * [[http://learning.criticalwatch.com/shellshock/|Critical Watch page on Shellshock]] |
|
| Line 57: | Line 57: |
| Line 58: | Line 59: |
| * [[http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/|ZDNet: the latest patches do fix all known Shellshock issues]] * [[https://access.redhat.com/articles/1200223|Summary article from RedHat on how to determine if a system is vulnerable]] * [[http://learning.criticalwatch.com/shellshock/|Critical Watch page on Shellshock]] |
|
| Line 63: | Line 67: |
What is the Shellshock vulnerability in Bash?
"Shellshock" refers to two remotely-exploitable vulnerabilities in Bash, discovered in September 2014. The first vulnerability exploits the mechanism that Bash used to export and import functions, and allowed arbitrary command execution. The second vulnerability exploits a parser bug and allowed local files to be created.
What these vulnerabilities have in common is that they are triggered by Bash scanning the environment, finding malicious data, and stumbling on it. Malicious data can be inserted into the environment by remote attackers in some system configurations, the most common of which is a web server with CGI capability. Most CGI setups pass along user-supplied data (e.g. HTTP user agent) through the environment.
There are official (i.e. issued by Chet Ramey) patches for Bash which fix the Shellshock vulnerabilities. These patches are available for all Bash versions from 2.05b through 4.3. There is also a third official patch which changes how Bash exports and imports functions through the environment. This third patch is believed to close any and all "tainted environment variable" attacks.
Many systems were never vulnerable to a remote attack, but it's safer to patch all systems anyway.
Other potential problems (parser bugs) were identified during the investigation, but are considered separate from the Shellshock bug. These bugs have no remote exploits (so far as we know). These bugs are currently being patched as well, albeit with less urgency.
Vulnerability Patches |
||
2014-09-24 |
||
2014-09-26 |
||
2014-09-27 |
||
2014-10-01 |
||
2014-10-02 |
||
Are my bash binaries fixed?
Your OS should have patched bash by now, but maybe you have multiple binaries installed (some by the OS, some by other means) and want to check that all of them are safe. You can copy/paste the following snippet into a terminal emulator running bash or some other posix compliant shell.
Replace /bin/bash and /usr/local/bin/bash with the paths to the bash binaries you have installed/want to test in the for-loop below.
for s in /bin/bash /usr/local/bin/bash ; do
VAR='() { :;};x=FAIL' "$s" -c 'printf "%-20s CVE-2014-6271 %-4s (%s)\n" "$BASH_VERSION" "${x-OK}" "$0"'
VAR='() {}>\' "$s" -c '/dev/null x=FAIL;printf "%-20s CVE-2014-7169 %-4s (%s)\n" "$BASH_VERSION" "${x-OK}" "$0"'
done 2>/dev/nullThe output will look something like this:
3.2.48(1)-release CVE-2014-6271 FAIL (/bin/bash) 3.2.48(1)-release CVE-2014-7169 FAIL (/bin/bash) 4.3.27(1)-release CVE-2014-6271 OK (/usr/local/bin/bash) 4.3.27(1)-release CVE-2014-7169 OK (/usr/local/bin/bash)
This shows that /usr/local/bin/bash is at version 4.3.27 and patched for both of the issues, while /bin/bash is at version 3.2.48 and fails both (meaning it is vulnerable).
A more comprehensive script called bashcheck is available. In addition to the two above mentioned vulnerabilities, it is able to test for a few others that have since been discovered. Note, however, that these additional vulnerabilities are distinct from Shellshock and are not currently known to be exploitable.
Further reading
After things stabilize a bit, this FAQ page should be updated with a better summary. For information about specific vulnerabilities related to Shellshock, you may find better results by searching for terms such as "CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", or "CVE-2014-7187".
In the meantime, here are a few links that should help you get started:
Summary and timeline by David A. Wheeler, a security researcher working on Shellshock
"shellshocker.net", an online tool for testing if a system is vulnerable
Search Google News for 'Shellshock bash', limited to the last 24 hours
Official US-CERT page on CVE-2014-6271, the first vulnerability in the series to be discovered
ZDNet: the latest patches do fix all known Shellshock issues
Summary article from RedHat on how to determine if a system is vulnerable
"Everything you need to know about the Shellshock Bash bug", by Troy Hunt