Shellshock Bash exploit

(imported topic written by sinucus)

Any word on when IBM will release the patch for “Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)”?

1 Like

(imported comment written by nberger91)

Following …

(imported comment written by Javiermr)

Also interested!

(imported comment written by jfschafer)

I heard through the grapevine, it’s going to be later today sometime before IBM is releasing the content to detect Bash vulnerabilites, mostly because it’s on such a wide amount of non-windows OS’s. On a side note I made a post in the security analytics section of the forum that shows you how to write an analysis to collect the Bash versions for RPM based and Ubuntu based systems. Still trying to figure out Solaris, Mac etc. (feel free to post in that thread any ideas.). I think Mac is going to require running a command and then parsing output to a file to get a property that shows Bash version. I can’t find anywhere where you can pull the version of bash without generating a command to a file and parsing it. (any ideas welcome here too).

I made a post
https://www.ibm.com/developerworks/community/forums/html/topic?id=9907c658-94ce-40c4-a4b5-f95939b74c09&ps=25
that gives some analysis tips to get the version of bash on your systems for this and future needs.

(imported comment written by jfschafer)

IBM just released content a few hours ago. There’s an action in the fixlets area (search for Shellshock) that you can assign to all non-windows systems. It writes a file called “isBashVulnerable.txt” to the root directory of the agent folder and then you can activate an analysis 1829 “Shell Shock Bas Vulnerability (CVE-2014-7169) Status” that parses this file and reports a computer property if they system is vulnerable. I also saw some RedHat patches as actual fixlets come out at the same time.

In the mean time here’s a good 13 minute SANS video educating about what Shell Shock is, how it’s exploited, how to detect and what the risks and recommendations are.

SANS Shell Shock Briefing
There’s also a good
FAQ

(imported comment written by JMaple)

There is a problem with the analysis and task that IBM has released. After patching we re-ran the task to test the vulnerability. The test still comes up positive for the vulnerability and I think it has to do with the logic of the task. In the task, it runs the following script:

#!/bin/sh
env X="() {{ :;} ; echo vulnerable" /bin/sh -c "echo " > "{parameter "outputFile"}"
env X="() {{ :;} ; echo vulnerable" `which bash` -c "echo " >> "{parameter "outputFile"}"

env -i  X='() {{ (a)=>\' /bin/sh -c 'echo echo vulnerable'; cat echo  >> "{parameter "outputFile"}"
env -i  X='() {{ (a)=>\' `which bash` -c 'echo echo vulnerable'; cat echo  >> "{parameter "outputFile"}"

The problem is that the highlighted lines of the script are indicating the vulnerability still exists because they are treating echo like a command line command instead of a bash command. So the script still prints the word “vulnerable” in the outputFile which is what the analysis is looking for to indicate vulnerability. The task produces a false positive and, therefore, is not reliable. Looks like IBM didn’t think this one through or test it enough before pushing it out.

EDIT: It should be noted that I am not an expert on bash scripting or *NIX in general. But I removed the second echo in the statement and it came up as “Not Vulnerable”. I think this is because “vulnerable” is not a CLI command either so it produced an error rather than writing “vulnerable” to the file.

(imported comment written by nberger91)

When will IBM be publishing all patches related to this vulnerability ? New patches were released on September 27th relating to CVE-2014-6277 and CVE-2014-6278. The source release date for the RHEL patches in my console are 26th Sept.

(imported comment written by sahinb)

Hi, according to
https://access.redhat.com/solutions/1207723

In order to avoid exploitation from CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278, ensure that your system is updated to at least the following versions of Bash, which also includes the prior fixes:

RHSA-2014:1306

Red Hat Enterprise Linux 7 - bash-4.2.45-5.el7_0.4

Red Hat Enterprise Linux 6 - bash-4.1.2-15.el6_5.2

Red Hat Enterprise Linux 5 - bash-3.2-33.el5_11.4

RHSA-2014:1311

Red Hat Enterprise Linux 4 Extended Lifecycle Support - bash-3.0-27.el4.4

Red Hat Enterprise Linux 5.6 Long Life - bash-3.2-24.el5_6.2

Red Hat Enterprise Linux 5.9 Extended Update Support - bash-3.2-32.el5_9.3

Red Hat Enterprise Linux 6.2 Advanced Update Support - bash-4.1.2-9.el6_2.2

Red Hat Enterprise Linux 6.4 Extended Update Support - bash-4.1.2-15.el6_4.2

RHSA-2014:1312

SJIS for Red Hat Enterprise Linux 6 - bash-4.1.2-15.el6_5.1.sjis.2

SJIS for Red Hat Enterprise Linux 5 - bash-3.2-33.el5_11.1.sjis.2

We have released the fixlets for RHSA-2014-1306. The other two are targetting extended/advanced support channels and SJIC Support which we don’t provide fixlets for.

If you were referring to a different errata, let me know.