The Navigatrix has been updated. The new website can be found at navigatrix.net.




Post new topic Reply to topic  [ 9 posts ] 
Author Message
 Post subject: Bash security leak

Joined: 05 Jul 2013, 08:53
Posts: 72
Theer is a new security problem (Shellshock) with Linux and after make a test, this is valuable for the latest NX v 05 existing.

Test is:
$ env x='() { :;}; echo vulnarable' bash -c "echo this is a test"

if the system returns vulnarable then we has the security leak in the Bash program. How we can solve that peoblem

Ferdinand


Top
   
 
 Post subject: Re: Bash security leak

Joined: 04 Nov 2010, 20:51
Posts: 1062
While people are saying Shellshock is similar to Heartbleed in severity, like Heatbleed it is currently only a concern if you are running a server.

So, right now, if you don't use Navigatrix as a server you don't expose yourself to those vulnerabilities.

Sail on, but keep an eye on the weather.


Top
   
 
 Post subject: Re: Bash security leak
Site Admin

Joined: 05 Nov 2010, 01:00
Posts: 185
If you installed the system to your harddrive you can just do:
sudo apt-get update && sudo apt-get upgrade
This will fix the problem.


Top
   
 
 Post subject: Re: Bash security leak

Joined: 04 Nov 2010, 20:51
Posts: 1062
...but for mere mortals it doesn't appear to be an issue or a problem.

The first rule is don't panic. The second rule is don't touch a working system. The corollary to this is 'if it isn't broke, don't fix it'.

For desktop/personal pc use, it isn't broken.


Top
   
 
 Post subject: Re: Bash security leak
Site Admin

Joined: 05 Nov 2010, 01:00
Posts: 185
True... its not really a problem.


Top
   
 
 Post subject: Re: Bash security leak

Joined: 19 Jul 2014, 12:47
Posts: 27
For those that want more info, here is the notice I got yesterday.

Code:
National Cyber Awareness System:
TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)
09/25/2014 12:56 PM EDT

Original release date: September 25, 2014
Systems Affected

    GNU Bash through 4.3.
    Linux, BSD, and UNIX distributions including but not limited to:
        CentOS 5 through 7
        Debian
        Mac OS X
        Red Hat Enterprise Linux 4 through 7
        Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS

Overview

A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system [1]. The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability.
Description

GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. [2, 3]

Critical instances where the vulnerability may be exposed include: [4, 5]

    Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn subshells.
    Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities.
    Allow arbitrary commands to run on a DHCP client machine, various Daemons and SUID/privileged programs.
    Exploit servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

Impact

This vulnerability is classified by industry standards as “High” impact with CVSS Impact Subscore 10 and “Low” on complexity, which means it takes little skill to perform. This flaw allows attackers to provide specially crafted environment variables containing arbitrary commands that can be executed on vulnerable systems. It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways.
Solution

Patches have been released to fix this vulnerability by major Linux vendors for affected versions. Solutions for CVE-2014-6271 do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-7169.

Many UNIX-like operating systems, including Linux distributions, BSD variants, and Apple Mac OS X include Bash and are likely to be affected. Contact your vendor for updated information. A list of vendors can be found in CERT Vulnerability Note VU#252743 [6].

US-CERT recommends system administrators review the vendor patches and the NIST Vulnerability Summary for CVE-2014-7169, to mitigate damage caused by the exploit.


FYI :)


Top
   
 
 Post subject: Re: Bash security leak
Site Admin

Joined: 05 Nov 2010, 01:00
Posts: 185
So since we do not run a server while sailing we have nothing to fear. Thank you for the information, i feel much safer now. :)


Top
   
 
 Post subject: Re: Bash security leak

Joined: 19 Jul 2014, 12:47
Posts: 27
I am glad you feel safer now, David.
Yes the vulnerability mainly affects servers.

Code:
.....other Unix and Linux devices....


To me, that means desktops as well.

It is better to be truely safe. I have already patched the SolydX installation I have on one unit, and am going to do the others tonight.

Stay safe.


Top
   
 
 Post subject: Re: Bash security leak

Joined: 04 Nov 2010, 20:51
Posts: 1062
In all likelihood you are not running any service/application that will allow this exploit to occur. Sure, patch it. It won't make you any 'safer', because we (in non-server use) are not at risk...but as they say, the price of paranoia is eternal vigilance.


Top
   
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 


Search for:
cron

Credits © 2010 - 2024