Security advisory: Mac OS X and GNU/Linux users: update bash to protect against Shellshock exploit

Posted: 2014/09/27 in Security, Ubuntu
Tags: , , , , , , , , , ,

Dear Mac OS X and GNU/Linux users,

It is highly recommended to update the bash shell program to protect against the Shellshock vulnerability.

Update on October 8, 2014: working patch for vulnerability CVE-2014-6277 for Ubuntu 14.04 LTS users is now available via a PPA repository (ppa:ubuntu-security-proposed/ppa).

More info here:

https://www.cert.gov.uk/resources/alerts/update-bash-vulnerability-aka-shellshock/

http://security.stackexchange.com/questions/68202/how-to-patch-bash-on-osx-in-wake-of-shellshock

http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-and-how-do-i-fix-it

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6271

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277

http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6277

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169

http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7169

http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7186

http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7187

https://securityblog.redhat.com/

I presume this will also affect home routers running a modified version of GNU/Linux, if the router has bash installed…

Stock Android users are unaffected (for the time being), because the stock version of Android uses mksh instead of bash according to this link:

https://www.mirbsd.org/mksh.htm

Non-jailbroken iPhones/iPads and non-rooted Android devices are not vulnerable to Shellshock.

However, jailbroken Android devices running Cydia or Cyanogen may have a vulnerable version of bash installed!

https://blog.fortinet.com/post/are-ios-and-android-vulnerable-to-the-shellshock-bug

Ubuntu 14.04 LTS users:

Here is the code to run in a Terminal to see if your installed version of bash is vulnerable or not:

wget https://shellshocker.net/shellshock_test.sh ; bash shellshock_test.sh

 

Example of Terminal output:

$ sudo add-apt-repository ppa:ubuntu-security-proposed/ppa

$ sudo apt-get update

$ sudo apt-get dist-upgrade

Fetched 1,531 kB in 10s (152 kB/s)

The following packages will be upgraded:
bash
1 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 576 kB of archives. After unpacking 0 B will be used.
Do you want to continue? [Y/n/?]
Get: 1 http://ppa.launchpad.net/ubuntu-security-proposed/ppa/ubuntu/ trusty/main bash amd64 4.3-7ubuntu1.5 [576 kB]
Fetched 576 kB in 0s (980 kB/s)
(Reading database … 331726 files and directories currently installed.)
Preparing to unpack …/bash_4.3-7ubuntu1.5_amd64.deb …
Unpacking bash (4.3-7ubuntu1.5) over (4.3-7ubuntu1.4) …
Processing triggers for man-db (2.6.7.1-1ubuntu1) …
Processing triggers for menu (2.1.46ubuntu1) …
Processing triggers for install-info (5.2.0.dfsg.1-2) …
Setting up bash (4.3-7ubuntu1.5) …
update-alternatives: using /usr/share/man/man7/bash-builtins.7.gz to provide /usr/share/man/man7/builtins.7.gz (builtins.7.gz) in auto mode
Processing triggers for menu (2.1.46ubuntu1) …

Current status: 0 updates [-1].
$ wget https://shellshocker.net/shellshock_test.sh ; bash shellshock_test.sh
–2014-10-08 09:30:50– https://shellshocker.net/shellshock_test.sh
Resolving shellshocker.net (shellshocker.net)… 162.159.243.171, 162.159.244.171, 2400:cb00:2048:1::a29f:f3ab, …
Connecting to shellshocker.net (shellshocker.net)|162.159.243.171|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2533 (2.5K) [application/octet-stream]
Saving to: ‘shellshock_test.sh.7’

100%[=================================================================================================================================================================>] 2,533 –.-K/s in 0s

2014-10-08 09:30:51 (177 MB/s) – ‘shellshock_test.sh.7’ saved [2533/2533]

CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian’s patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s