So, CVE-2014-6271 (bash SHELL SHOCK) Anyone?


  • LAYER 8 Netgate

    I've got popcorn.

    [2.1.5-RELEASE][root@fw.example.com]/root(1): bash
    bash: Command not found.

    Original release date: 09/24/2014
    Last revised: 09/24/2014
    Source: US-CERT/NIST
    Overview

    GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
    Impact
    CVSS Severity (version 2.0):
    CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)
    Impact Subscore: 10.0
    Exploitability Subscore: 10.0
    CVSS Version 2 Metrics:
    Access Vector: Network exploitable
    Access Complexity: Low
    Authentication: Not required to exploit
    Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service
    References to Advisories, Solutions, and Tools

    By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.
    External Source: CONFIRM
    Name: https://bugzilla.redhat.com/show_bug.cgi?id=1141597
    Type: Patch Information
    Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=1141597
    External Source: CONFIRM
    Name: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
    Hyperlink: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
    Vulnerable software and versions
    Skip Navigation Links.
    Collapse Configuration 1 Configuration 1
    Collapse OR OR

    • cpe:/a:gnu:bash:1.14.0
    • cpe:/a:gnu:bash:1.14.1
    • cpe:/a:gnu:bash:1.14.2
    • cpe:/a:gnu:bash:1.14.3
    • cpe:/a:gnu:bash:1.14.4
    • cpe:/a:gnu:bash:1.14.5
    • cpe:/a:gnu:bash:1.14.6
    • cpe:/a:gnu:bash:1.14.7
    • cpe:/a:gnu:bash:2.0
    • cpe:/a:gnu:bash:2.01
    • cpe:/a:gnu:bash:2.01.1
    • cpe:/a:gnu:bash:2.02
    • cpe:/a:gnu:bash:2.02.1
    • cpe:/a:gnu:bash:2.03
    • cpe:/a:gnu:bash:2.04
    • cpe:/a:gnu:bash:2.05
    • cpe:/a:gnu:bash:2.05:a
    • cpe:/a:gnu:bash:2.05:b
    • cpe:/a:gnu:bash:3.0
    • cpe:/a:gnu:bash:3.0.16
    • cpe:/a:gnu:bash:3.1
    • cpe:/a:gnu:bash:3.2
    • cpe:/a:gnu:bash:3.2.48
    • cpe:/a:gnu:bash:4.0
    • cpe:/a:gnu:bash:4.0:rc1
    • cpe:/a:gnu:bash:4.1
    • cpe:/a:gnu:bash:4.2
    • cpe:/a:gnu:bash:4.3
    • Denotes Vulnerable Software
      Changes related to vulnerability configurations
      Technical Details
      Vulnerability Type (View All)

    OS Command Injections (CWE-78)

    CVE Standard Vulnerability Entry http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271



  • This is the only discussion I found when searching the forums for CVE-2014-6271 - this is a bad one, every distro I've been looking at today either has a patch, or is working on it.  I realize that bash is not the defualt FreeBSD shell, and isn't even included in the FreeBSD install, but I'm wondering if there are any packages that might install it into pfsense? I took a look at my installs and I don't see a /bin/bash, but I'm afraid I may be missing something….



  • You can always use 'find' to search for a binary named bash:

    
    [2.1.5-RELEASE][root@myrouter]/(1): find / -name bash -print
    [2.1.5-RELEASE][root@myrouter]/(2):
    
    

  • Rebel Alliance Developer Netgate

    The bash issue going around appears to only affect one commonly used package, and not the base system. The base system does not include bash, no problem there.

    The affected packages are:

    • Anyterm
    • Contains bash in its binaries which are in the git repo, not a .pbi or .tgz. This package may simply be retired as it is unmaintained and is rarely used.
    • Freeswitch-dev
    • Runs pkg_add for bash. Not actively maintained, could probably be safely removed with minimal impact.
    • FreeRADIUS2
    • Adds bash via pkg_add using FreeBSD's 8.3-RELEASE package set if the user activates Mobile-One-Time-Password (varsettingsmotpenable). We're looking into the best way to fix it.

    Also include bash and will have rebuilt PBIs shortly:

    • Mailscanner

    The following packages use bash to build but do NOT include the bash binary in their PBI for use on the firewall:

    • git
    • avahi
    • ntopng

    Overall, not a huge impact.

    EDIT: Added mailscanner which also includes bash, though it doesn't do so explicitly something it needs must have pulled it in as a dependency.


  • Rebel Alliance Developer Netgate

    FreeRADIUS2 has been updated, should show an update available soon.

    Mailscanner will be updated some time tomorrow.


  • Rebel Alliance Developer Netgate

    Affected packages have been either updated or removed (thanks to garga).

    • FreeRADIUS2: Package updated with a patched version of bash
    • Mailscanner: Package updated with a patched version of bash
    • FreeSWITCH/FreeSWITCH-dev: -dev variant attempted to install bash via pkg_add. Unmaintained, FreeBSD removed it from ports tree. Removed package.

    Other packages that had a reference to bash but are not vulnerable:

    • Anyterm: Defaulted to attempt to run bash. Unmaintained, package removed.
    • git: Used bash during build, but did not include bash in its PBI
    • avahi: Used bash during build, but did not include bash in its PBI
    • ntopng : Used bash during build, but did not include bash in its PBI


  • @jimp:

    • Mailscanner: Package updated with a patched version of bash

    I've update the Mailscanner package and it looks like bash has been completely removed from the system instead.

    # bash
    bash: Command not found.
    
    # find -f / bash
    ...
    find: bash: No such file or directory
    


  • Could anybody please attach a gzipped patched binary here, to optionally replace it manually? Or maybe an URL to download the new .tgz?


  • Rebel Alliance Developer Netgate

    There is no new tgz. For packages that require it, it is built into their PBI. Not sure why it didn't show up in mailscanner, but feel free to open a ticket in redmine for it if mailscanner is misbehaving because of its absence. It should also be the new FreeRADIUS2 PBI, so if you really want it, install that and copy the binary from there, then you could remove it if you want.

    It is highly unlikely we'll make a stand-alone package just for bash.



  • I Installed freeradius2 package on my i386 NanoBSD box, and it didn't pull the bash binary as far as I can see:

    /usr/local/bin(11): ls -la | grep bash
    lrwxr-xr-x   1 root  wheel       36 Sep 27 19:31 bashbug -> /usr/pbi/freeradius-i386/bin/bashbug
    /usr/local/bin(12): bash
    bash: Command not found.
    

    :o



  • @Bismarck:

    I've update the Mailscanner package and it looks like bash has been completely removed from the system instead.

    Confirming that bash is missing from Mailscanner too.



  • :o :o :o

    Nobody cares?


  • Rebel Alliance Developer Netgate

    It's being looked at, they're apparently there on 2.2, though if you install one and then the other and remove one, the symlink goes with it.

    There was another update to bash that needs put in anyhow, but it's mostly cosmetic (version bump) since the previous + patches has the fix already.

    Since bash isn't there (and thus really isn't vulnerable  ;D ) it isn't as high a priority, though it'll be fixed soon.


  • Rebel Alliance Developer Netgate


  • Administrator

    @robi:

    @Bismarck:

    I've update the Mailscanner package and it looks like bash has been completely removed from the system instead.

    Confirming that bash is missing from Mailscanner too.

    Please try last package version. Both PBIs were rebuilt and bash is inside.



  • Thanks.

    Tried freeradius2 package by deleting it and installing it again. The patched bash binary is deployed on both i386 and amd64 platforms.


Log in to reply