Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    So, CVE-2014-6271 (bash SHELL SHOCK) Anyone?

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    16 Posts 7 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      I've got popcorn.

      [2.1.5-RELEASE][root@fw.example.com]/root(1): bash
      bash: Command not found.

      Original release date: 09/24/2014
      Last revised: 09/24/2014
      Source: US-CERT/NIST
      Overview

      GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
      Impact
      CVSS Severity (version 2.0):
      CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)
      Impact Subscore: 10.0
      Exploitability Subscore: 10.0
      CVSS Version 2 Metrics:
      Access Vector: Network exploitable
      Access Complexity: Low
      Authentication: Not required to exploit
      Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service
      References to Advisories, Solutions, and Tools

      By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.
      External Source: CONFIRM
      Name: https://bugzilla.redhat.com/show_bug.cgi?id=1141597
      Type: Patch Information
      Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=1141597
      External Source: CONFIRM
      Name: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
      Hyperlink: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
      Vulnerable software and versions
      Skip Navigation Links.
      Collapse Configuration 1 Configuration 1
      Collapse OR OR

      • cpe:/a:gnu:bash:1.14.0
      • cpe:/a:gnu:bash:1.14.1
      • cpe:/a:gnu:bash:1.14.2
      • cpe:/a:gnu:bash:1.14.3
      • cpe:/a:gnu:bash:1.14.4
      • cpe:/a:gnu:bash:1.14.5
      • cpe:/a:gnu:bash:1.14.6
      • cpe:/a:gnu:bash:1.14.7
      • cpe:/a:gnu:bash:2.0
      • cpe:/a:gnu:bash:2.01
      • cpe:/a:gnu:bash:2.01.1
      • cpe:/a:gnu:bash:2.02
      • cpe:/a:gnu:bash:2.02.1
      • cpe:/a:gnu:bash:2.03
      • cpe:/a:gnu:bash:2.04
      • cpe:/a:gnu:bash:2.05
      • cpe:/a:gnu:bash:2.05:a
      • cpe:/a:gnu:bash:2.05:b
      • cpe:/a:gnu:bash:3.0
      • cpe:/a:gnu:bash:3.0.16
      • cpe:/a:gnu:bash:3.1
      • cpe:/a:gnu:bash:3.2
      • cpe:/a:gnu:bash:3.2.48
      • cpe:/a:gnu:bash:4.0
      • cpe:/a:gnu:bash:4.0:rc1
      • cpe:/a:gnu:bash:4.1
      • cpe:/a:gnu:bash:4.2
      • cpe:/a:gnu:bash:4.3
      • Denotes Vulnerable Software
        Changes related to vulnerability configurations
        Technical Details
        Vulnerability Type (View All)

      OS Command Injections (CWE-78)

      CVE Standard Vulnerability Entry http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • S
        snm777
        last edited by

        This is the only discussion I found when searching the forums for CVE-2014-6271 - this is a bad one, every distro I've been looking at today either has a patch, or is working on it.  I realize that bash is not the defualt FreeBSD shell, and isn't even included in the FreeBSD install, but I'm wondering if there are any packages that might install it into pfsense? I took a look at my installs and I don't see a /bin/bash, but I'm afraid I may be missing something….

        1 Reply Last reply Reply Quote 0
        • R
          redbeard0x0a
          last edited by

          You can always use 'find' to search for a binary named bash:

          
          [2.1.5-RELEASE][root@myrouter]/(1): find / -name bash -print
          [2.1.5-RELEASE][root@myrouter]/(2):
          
          
          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            The bash issue going around appears to only affect one commonly used package, and not the base system. The base system does not include bash, no problem there.

            The affected packages are:

            • Anyterm
            • Contains bash in its binaries which are in the git repo, not a .pbi or .tgz. This package may simply be retired as it is unmaintained and is rarely used.
            • Freeswitch-dev
            • Runs pkg_add for bash. Not actively maintained, could probably be safely removed with minimal impact.
            • FreeRADIUS2
            • Adds bash via pkg_add using FreeBSD's 8.3-RELEASE package set if the user activates Mobile-One-Time-Password (varsettingsmotpenable). We're looking into the best way to fix it.

            Also include bash and will have rebuilt PBIs shortly:

            • Mailscanner

            The following packages use bash to build but do NOT include the bash binary in their PBI for use on the firewall:

            • git
            • avahi
            • ntopng

            Overall, not a huge impact.

            EDIT: Added mailscanner which also includes bash, though it doesn't do so explicitly something it needs must have pulled it in as a dependency.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              FreeRADIUS2 has been updated, should show an update available soon.

              Mailscanner will be updated some time tomorrow.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Affected packages have been either updated or removed (thanks to garga).

                • FreeRADIUS2: Package updated with a patched version of bash
                • Mailscanner: Package updated with a patched version of bash
                • FreeSWITCH/FreeSWITCH-dev: -dev variant attempted to install bash via pkg_add. Unmaintained, FreeBSD removed it from ports tree. Removed package.

                Other packages that had a reference to bash but are not vulnerable:

                • Anyterm: Defaulted to attempt to run bash. Unmaintained, package removed.
                • git: Used bash during build, but did not include bash in its PBI
                • avahi: Used bash during build, but did not include bash in its PBI
                • ntopng : Used bash during build, but did not include bash in its PBI

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • BismarckB
                  Bismarck
                  last edited by

                  @jimp:

                  • Mailscanner: Package updated with a patched version of bash

                  I've update the Mailscanner package and it looks like bash has been completely removed from the system instead.

                  # bash
                  bash: Command not found.
                  
                  # find -f / bash
                  ...
                  find: bash: No such file or directory
                  
                  1 Reply Last reply Reply Quote 0
                  • R
                    robi
                    last edited by

                    Could anybody please attach a gzipped patched binary here, to optionally replace it manually? Or maybe an URL to download the new .tgz?

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      There is no new tgz. For packages that require it, it is built into their PBI. Not sure why it didn't show up in mailscanner, but feel free to open a ticket in redmine for it if mailscanner is misbehaving because of its absence. It should also be the new FreeRADIUS2 PBI, so if you really want it, install that and copy the binary from there, then you could remove it if you want.

                      It is highly unlikely we'll make a stand-alone package just for bash.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • R
                        robi
                        last edited by

                        I Installed freeradius2 package on my i386 NanoBSD box, and it didn't pull the bash binary as far as I can see:

                        /usr/local/bin(11): ls -la | grep bash
                        lrwxr-xr-x   1 root  wheel       36 Sep 27 19:31 bashbug -> /usr/pbi/freeradius-i386/bin/bashbug
                        /usr/local/bin(12): bash
                        bash: Command not found.
                        

                        :o

                        1 Reply Last reply Reply Quote 0
                        • R
                          robi
                          last edited by

                          @Bismarck:

                          I've update the Mailscanner package and it looks like bash has been completely removed from the system instead.

                          Confirming that bash is missing from Mailscanner too.

                          1 Reply Last reply Reply Quote 0
                          • R
                            robi
                            last edited by

                            :o :o :o

                            Nobody cares?

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              It's being looked at, they're apparently there on 2.2, though if you install one and then the other and remove one, the symlink goes with it.

                              There was another update to bash that needs put in anyhow, but it's mostly cosmetic (version bump) since the previous + patches has the fix already.

                              Since bash isn't there (and thus really isn't vulnerable  ;D ) it isn't as high a priority, though it'll be fixed soon.

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                Also:
                                https://isc.sans.edu/forums/diary/Shellshock+We+are+not+done+yet+CVE-2014-6277+CVE-2014-6278/18723
                                http://www.openwall.com/lists/oss-security/2014/09/25/32

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • rbgargaR
                                  rbgarga Developer Netgate Administrator
                                  last edited by

                                  @robi:

                                  @Bismarck:

                                  I've update the Mailscanner package and it looks like bash has been completely removed from the system instead.

                                  Confirming that bash is missing from Mailscanner too.

                                  Please try last package version. Both PBIs were rebuilt and bash is inside.

                                  Renato Botelho

                                  1 Reply Last reply Reply Quote 0
                                  • R
                                    robi
                                    last edited by

                                    Thanks.

                                    Tried freeradius2 package by deleting it and installing it again. The patched bash binary is deployed on both i386 and amd64 platforms.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.