So, CVE-2014-6271 (bash SHELL SHOCK) Anyone?
-
I've got popcorn.
[2.1.5-RELEASE][root@fw.example.com]/root(1): bash
bash: Command not found.Original release date: 09/24/2014
Last revised: 09/24/2014
Source: US-CERT/NIST
OverviewGNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
Impact
CVSS Severity (version 2.0):
CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)
Impact Subscore: 10.0
Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service
References to Advisories, Solutions, and ToolsBy selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.
External Source: CONFIRM
Name: https://bugzilla.redhat.com/show_bug.cgi?id=1141597
Type: Patch Information
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=1141597
External Source: CONFIRM
Name: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
Hyperlink: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
Vulnerable software and versions
Skip Navigation Links.
Collapse Configuration 1 Configuration 1
Collapse OR OR- cpe:/a:gnu:bash:1.14.0
- cpe:/a:gnu:bash:1.14.1
- cpe:/a:gnu:bash:1.14.2
- cpe:/a:gnu:bash:1.14.3
- cpe:/a:gnu:bash:1.14.4
- cpe:/a:gnu:bash:1.14.5
- cpe:/a:gnu:bash:1.14.6
- cpe:/a:gnu:bash:1.14.7
- cpe:/a:gnu:bash:2.0
- cpe:/a:gnu:bash:2.01
- cpe:/a:gnu:bash:2.01.1
- cpe:/a:gnu:bash:2.02
- cpe:/a:gnu:bash:2.02.1
- cpe:/a:gnu:bash:2.03
- cpe:/a:gnu:bash:2.04
- cpe:/a:gnu:bash:2.05
- cpe:/a:gnu:bash:2.05:a
- cpe:/a:gnu:bash:2.05:b
- cpe:/a:gnu:bash:3.0
- cpe:/a:gnu:bash:3.0.16
- cpe:/a:gnu:bash:3.1
- cpe:/a:gnu:bash:3.2
- cpe:/a:gnu:bash:3.2.48
- cpe:/a:gnu:bash:4.0
- cpe:/a:gnu:bash:4.0:rc1
- cpe:/a:gnu:bash:4.1
- cpe:/a:gnu:bash:4.2
- cpe:/a:gnu:bash:4.3
- Denotes Vulnerable Software
Changes related to vulnerability configurations
Technical Details
Vulnerability Type (View All)
OS Command Injections (CWE-78)
CVE Standard Vulnerability Entry http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
-
This is the only discussion I found when searching the forums for CVE-2014-6271 - this is a bad one, every distro I've been looking at today either has a patch, or is working on it. I realize that bash is not the defualt FreeBSD shell, and isn't even included in the FreeBSD install, but I'm wondering if there are any packages that might install it into pfsense? I took a look at my installs and I don't see a /bin/bash, but I'm afraid I may be missing something….
-
You can always use 'find' to search for a binary named bash:
[2.1.5-RELEASE][root@myrouter]/(1): find / -name bash -print [2.1.5-RELEASE][root@myrouter]/(2): -
The bash issue going around appears to only affect one commonly used package, and not the base system. The base system does not include bash, no problem there.
The affected packages are:
- Anyterm
- Contains bash in its binaries which are in the git repo, not a .pbi or .tgz. This package may simply be retired as it is unmaintained and is rarely used.
- Freeswitch-dev
- Runs pkg_add for bash. Not actively maintained, could probably be safely removed with minimal impact.
- FreeRADIUS2
- Adds bash via pkg_add using FreeBSD's 8.3-RELEASE package set if the user activates Mobile-One-Time-Password (varsettingsmotpenable). We're looking into the best way to fix it.
Also include bash and will have rebuilt PBIs shortly:
- Mailscanner
The following packages use bash to build but do NOT include the bash binary in their PBI for use on the firewall:
- git
- avahi
- ntopng
Overall, not a huge impact.
EDIT: Added mailscanner which also includes bash, though it doesn't do so explicitly something it needs must have pulled it in as a dependency.
-
FreeRADIUS2 has been updated, should show an update available soon.
Mailscanner will be updated some time tomorrow.
-
Affected packages have been either updated or removed (thanks to garga).
- FreeRADIUS2: Package updated with a patched version of bash
- Mailscanner: Package updated with a patched version of bash
- FreeSWITCH/FreeSWITCH-dev: -dev variant attempted to install bash via pkg_add. Unmaintained, FreeBSD removed it from ports tree. Removed package.
Other packages that had a reference to bash but are not vulnerable:
- Anyterm: Defaulted to attempt to run bash. Unmaintained, package removed.
- git: Used bash during build, but did not include bash in its PBI
- avahi: Used bash during build, but did not include bash in its PBI
- ntopng : Used bash during build, but did not include bash in its PBI
-
- Mailscanner: Package updated with a patched version of bash
I've update the Mailscanner package and it looks like bash has been completely removed from the system instead.
# bash bash: Command not found. # find -f / bash ... find: bash: No such file or directory -
Could anybody please attach a gzipped patched binary here, to optionally replace it manually? Or maybe an URL to download the new .tgz?
-
There is no new tgz. For packages that require it, it is built into their PBI. Not sure why it didn't show up in mailscanner, but feel free to open a ticket in redmine for it if mailscanner is misbehaving because of its absence. It should also be the new FreeRADIUS2 PBI, so if you really want it, install that and copy the binary from there, then you could remove it if you want.
It is highly unlikely we'll make a stand-alone package just for bash.
-
I Installed freeradius2 package on my i386 NanoBSD box, and it didn't pull the bash binary as far as I can see:
/usr/local/bin(11): ls -la | grep bash lrwxr-xr-x 1 root wheel 36 Sep 27 19:31 bashbug -> /usr/pbi/freeradius-i386/bin/bashbug /usr/local/bin(12): bash bash: Command not found.:o
-
I've update the Mailscanner package and it looks like bash has been completely removed from the system instead.
Confirming that bash is missing from Mailscanner too.
-
:o :o :o
Nobody cares?
-
It's being looked at, they're apparently there on 2.2, though if you install one and then the other and remove one, the symlink goes with it.
There was another update to bash that needs put in anyhow, but it's mostly cosmetic (version bump) since the previous + patches has the fix already.
Since bash isn't there (and thus really isn't vulnerable ;D ) it isn't as high a priority, though it'll be fixed soon.
-
Also:
https://isc.sans.edu/forums/diary/Shellshock+We+are+not+done+yet+CVE-2014-6277+CVE-2014-6278/18723
http://www.openwall.com/lists/oss-security/2014/09/25/32 -
-
Thanks.
Tried freeradius2 package by deleting it and installing it again. The patched bash binary is deployed on both i386 and amd64 platforms.
