INTERACT FORUM

Please login or register.

Login with username, password and session length
Advanced search  
Pages: [1]   Go Down

Author Topic: Security problem with Bash shell  (Read 4591 times)

JimH

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 72438
  • Where did I put my teeth?
Security problem with Bash shell
« on: September 25, 2014, 11:03:48 am »

I can't confirm this, but it appears to be serious:

http://www.tomsguide.com/us/shellshock-osx-linux,news-19614.html
Logged

mwillems

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 5234
  • "Linux Merit Badge" Recipient
Re: Security problem with Bash shell
« Reply #1 on: September 25, 2014, 11:16:57 am »

I can't confirm this, but it appears to be serious:

http://www.tomsguide.com/us/shellshock-osx-linux,news-19614.html

I saw a bash patch come through one of my updates last night and wondered "what could they be changing in a 25 year old shell scripting language?" Arch and Debian at least are taking it seriously enough to update bash immediately (and Red Hat too, it sounds like)

It's all over the computer security news now (ZDNet picked it up). Run, don't walk to fix it, especially on anything that's network accessible...
Logged

Awesome Donkey

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 7804
  • Autumn shade...
Re: Security problem with Bash shell
« Reply #2 on: September 25, 2014, 12:05:26 pm »

It's not 100% fixed yet even after the patches.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
Logged
I don't work for JRiver... I help keep the forums safe from "male enhancements" and other sources of sketchy pharmaceuticals.

Windows 11 24H2 Update 64-bit + Ubuntu 24.10 Oracular Oriole 64-bit | Windows 11 24H2 Update 64-bit (Intel N305 Fanless NUC 16GB RAM/500GB M.2 NVMe SSD)
JRiver Media Center 33 (Windows + Linux) | iFi ZEN DAC 3 | JBL 306P MkII Studio Monitors | Audio-Technica ATH-M50x Headphones

bob

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 13870
Re: Security problem with Bash shell
« Reply #3 on: September 25, 2014, 12:18:07 pm »

Pretty dumb.
I'd like to see how that applies to real-world exploits.
I don't see anyone opening up their machines to the outside world with bash scripts. Does anyone use those in any web services?
Logged

Hendrik

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 10933
Re: Security problem with Bash shell
« Reply #4 on: September 25, 2014, 12:20:01 pm »

Its apparently easily exploitable if you use cgi based web services, since bash does the hand-over in the middle, which is a pretty common setup for many scripting languages.
Logged
~ nevcairiel
~ Author of LAV Filters

bob

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 13870
Re: Security problem with Bash shell
« Reply #5 on: September 25, 2014, 12:35:30 pm »

Its apparently easily exploitable if you use cgi based web services, since bash does the hand-over in the middle, which is a pretty common setup for many scripting languages.
Interesting.
So the php scripts are executed by bash.
More likely by the system shell of the user the webserver is running under which isn't necessarily bash, dash is more commonly linked to the /bin/sh now.
I wonder if it's got the same issue?
Logged

mwillems

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 5234
  • "Linux Merit Badge" Recipient
Re: Security problem with Bash shell
« Reply #6 on: September 25, 2014, 01:15:24 pm »

Interesting.
So the php scripts are executed by bash.
More likely by the system shell of the user the webserver is running under

My understanding is that you get the same permissions as the user you're using to get in, you can execute whatever, say, the "apache" user is capable of executing.

Quote
which isn't necessarily bash, dash is more commonly linked to the /bin/sh now.
I wonder if it's got the same issue?

The newsmedia are reporting dash is not vulnerable (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/), but according to some users on Reddit who tried the exploit on their Debian and Ubuntu systems, they were not immune to the exploit, so I'm not sure how to reconcile that.

And dash is only the default on Debian based distros, I think; Red Hat and many other distros (e.g Arch) still use bash as system default.
Logged

pahunt

  • World Citizen
  • ***
  • Posts: 236
Re: Security problem with Bash shell
« Reply #7 on: September 26, 2014, 01:49:39 am »

bob

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 13870
Re: Security problem with Bash shell
« Reply #8 on: September 26, 2014, 10:08:55 am »

The debian distros were updated again this morning.
It SEEMS to have taken care of the problem (for now).
There are already active hacking attempts going on out there.
Logged

mwillems

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 5234
  • "Linux Merit Badge" Recipient
Re: Security problem with Bash shell
« Reply #9 on: September 26, 2014, 10:14:41 am »

The debian distros were updated again this morning.
It SEEMS to have taken care of the problem (for now).
There are already active hacking attempts going on out there.

Was that in sid, testing, or somewhere else?  I haven't seen a second update come through this morning on my Debian Jessie box and I've been updating and dist-upgrading every few hours.  

Edit: never mind it's in Sid, I just found it.
Logged

bob

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 13870
Re: Security problem with Bash shell
« Reply #10 on: September 26, 2014, 11:54:54 am »

Was that in sid, testing, or somewhere else?  I haven't seen a second update come through this morning on my Debian Jessie box and I've been updating and dist-upgrading every few hours. 

Edit: ever mind it's in Sid, I just found it.
It's in wheezy as well
Logged

mwillems

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 5234
  • "Linux Merit Badge" Recipient
Re: Security problem with Bash shell
« Reply #11 on: September 26, 2014, 11:58:20 am »

It's in wheezy as well

Weird, it still hasn't hit Jessie; I guess they are pretty explicit that testing doesn't necessarily get security updates as fast as stable.
Logged

Hendrik

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 10933
Re: Security problem with Bash shell
« Reply #12 on: September 26, 2014, 12:49:07 pm »

Weird, it still hasn't hit Jessie; I guess they are pretty explicit that testing doesn't necessarily get security updates as fast as stable.

They do warn you about that on the downloads page. Only stable is maintained by the security team.
Logged
~ nevcairiel
~ Author of LAV Filters

mwillems

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 5234
  • "Linux Merit Badge" Recipient
Re: Security problem with Bash shell
« Reply #13 on: September 26, 2014, 01:00:29 pm »

They do warn you about that on the downloads page. Only stable is maintained by the security team.

Yeah, it's one of the hazards of unstable, they just pushed through the initial patch so fast yesterday I thought they might push the second one through at the same speed. I pulled in the fix from sid, so i'm not too worried about it on my systems. If anyone reading this is running Debian Jessie or testing, only the first of two patches has made it in so far, you may still be exposed.
Logged

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: Security problem with Bash shell
« Reply #14 on: September 26, 2014, 11:51:14 pm »

It's baaaack:
http://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shellshock-becomes-whack-a-mole/

The patch to the patch apparently isn't good either.  Looks pretty fundamental, and they're patching at the edges.
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

bob

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 13870
Re: Security problem with Bash shell
« Reply #15 on: September 26, 2014, 11:58:59 pm »

It's baaaack:
http://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shellshock-becomes-whack-a-mole/

The patch to the patch apparently isn't good either.  Looks pretty fundamental, and they're patching at the edges.
Bloody hell.
May be time to uninstall it.
Logged

mwillems

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 5234
  • "Linux Merit Badge" Recipient
Re: Security problem with Bash shell
« Reply #16 on: September 27, 2014, 06:55:20 am »

Bloody hell.
May be time to uninstall it.


My understanding is that the gnu gcc toolchain relies heavily on bash, so if you remove it you may have trouble compiling if you use gcc.  Debian's tried to eliminate bash dependence from official packages, but that's not guaranteed, and that obviously doesn't extend to packages you build yourself.  

At least Debian users could give it a shot; the Arch admins have more or less suggested that uninstalling bash would break their packaging/update system entirely.
Logged

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: Security problem with Bash shell
« Reply #17 on: September 27, 2014, 09:37:48 am »

My understanding is that the gnu gcc toolchain relies heavily on bash, so if you remove it you may have trouble compiling if you use gcc.

You could, also, if you do use gcc, try switching to Clang/LLVM.  It is probably faster anyway, and has a more liberal license.

Of course, that doesn't help if dpkg and apt are both totally broken.   :-\
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

mwillems

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 5234
  • "Linux Merit Badge" Recipient
Re: Security problem with Bash shell
« Reply #18 on: September 27, 2014, 11:57:51 am »

You could, also, if you do use gcc, try switching to Clang/LLVM.  It is probably faster anyway, and has a more liberal license.

Yeah that's a perfectly good workaround for systems that can run bashless, although, for my personal uses, I prefer gcc because it's still (for the moment) generally faster at runtime if not at compile time.  Based on the trajectory of the benchmarks, in another year or two, clang will probably become completely superior all the way around.

Quote
Of course, that doesn't help if dpkg and apt are both totally broken.   :-\

Just so nobody gets confused, I think Debian's packaging system generally works fine without bash because Debian's made a conscious effort to migrate away from bash (it's just not guaranteed that everything will work sans bash).  What I meant by my comment above was that the Arch Linux devs basically indicated that parts of Arch's packaging system would not work without bash at the moment, and I think the same thing is true of Red Hat (which is one of the reasons they're leading the charge to get this patched).
Logged

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: Security problem with Bash shell
« Reply #19 on: September 27, 2014, 05:14:09 pm »

He might already be using it, since they need it to compile on OSX anyway.  It'd be easier to target one compiler, wouldn't it?
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: Security problem with Bash shell
« Reply #20 on: September 27, 2014, 05:16:52 pm »

I prefer gcc because it's still (for the moment) generally faster at runtime if not at compile time.

The benchmarks I've seen, for C at least, the last couple of revisions have been very back and forth.  LLVM/Clang is a bit ahead in some places, tied in others, behind in a few, then a new dev gcc comes along and it is a bit ahead in some places, tied in others, behind in a few.  Though, I can't really speak incredibly intelligently about the places where one or the other is important, so...  :-\

I don't know much about how it handles C++, though.  Mostly what I've looked at lately is the unbelievable gains in Swift performance, which have been nothing less than stunning over the course of development since announcement.

The LLVM system, of course, has other benefits.  But, gcc is so longstanding that even if it didn't often win benchmarks, it would be very hard to displace en masse.
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

bob

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 13870
Re: Security problem with Bash shell
« Reply #21 on: September 28, 2014, 07:14:59 pm »

Currently using GCC.
There isn't very good clang support in eclipse though since Hendrik made our new and improved build system it'd probably be pretty simple to switch.
Logged
Pages: [1]   Go Up