ALERT BASH Security Vulnerability

[briankelly63]

Patch worked on an old 1.4 install..

 

[bcmike]

FYI: The current bash patch is incomplete, and is still not 100% effective.

As per: http://seclists.org/oss-sec/2014/q3/695

More information here: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

Keep an eye on your boxes, and keep looking for an updated patch here (Red Hat): https://access.redhat.com/solutions/1207723

I have a friend that's a high end security consultant and he's super nervous about this right now, even with the patch in place.

 

[Chris Sweeney]

The early patches were not complete but are now to fix the "known" issues, even the Read Hat link you posted shows this as a solution, not an open issue.

 

[wardmundy]

Rrrr: On Ubuntu systems, there is no yum. It's apt-get. The provided script showed you didn't have a problem. You can't do any better than that... until the next surprise.

 

[wardmundy]

FYI: The current bash patch is incomplete, and is still not 100% effective.

As per: http://seclists.org/oss-sec/2014/q3/695

More information here: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

Keep an eye on your boxes, and keep looking for an updated patch here (Red Hat): https://access.redhat.com/solutions/1207723

I have a friend that's a high end security consultant and he's super nervous about this right now, even with the patch in place.

Good reason to be nervous when a simple web request can implant a Trojan on your servers. It's yet another reason to NEVER EVER OPEN PORT 80 TO PUBLIC INTERNET ACCESS ON PIAF AND INCREDIBLE PBX SERVERS!

Either run the servers behind hardware-based firewalls with NO INTERNET PORT EXPOSURE or

Lock down IPtables with WhiteList access only from known (safe) IP addresses.
The new Incredible PBX builds do this for you automatically. It's your phone bill.

 

[womble1]

there is another patch out today

 

[wardmundy]

there is another patch out today

Right you are. Details here. BASH Patch #2 has already been pushed out to Incredible PBX systems. For everybody else, here's the latest update script:

cd /root
wget http://incrediblepbx.com/bash-fix2.tar.gz
tar zxvf bash-fix2.tar.gz
rm -f bash-fix2.tar.gz
./bash-fix2

Might wanna keep this script handy for a bit to see if it needs to be run again in a day or two.

 

[wardmundy]

 

[MacNix]

I do wish you people would get on the ball and get these patches done in a timely manner....

Actually, I was consulting a client yesterday afternoon, regarding network vulnerability in a mediumsize business (13.5K people) that's gone ONLY with non-open source product, because of their concerns about quality and upkeep on any open source type platforms.

In our meeting (me, head of IT security, and CEO), the IT head was a bit embarrassed when I brought up Shockwave (which he didn't even know about as of 4pm), then even more so when I mentioned it'd already been addressed by almost all the open source folks, but we're still waiting for Apple and several others to bring out patches..... it MIGHT'VE gotten me another service contract....

 

[AndyInNYC]

Maybe I'm doing something wrong.

Running on a RentPBX machine -
lqqqqqqqqqqqqqqqqqqqqqqqqSYSTEM INFORMATIONqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Asterisk = ONLINE | Dahdi = ONLINE | MySQL = ONLINE x
x SSH = ONLINE | Apache = ONLINE | Iptables = ONLINE x
x Fail2ban = ONLINE | Internet = ONLINE | Ip6Tables = ONLINE x
x Disk Free = ADEQUATE| Mem Free = ADEQUATE| NTPD = ONLINE x
x SendMail = ONLINE | Samba = OFFLINE | Webmin = ONLINE x
x Ethernet0 = ONLINE | Ethernet1 = N/A | Wlan0 = N/A x
x x
x PIAF Installed Version = 3.0.6.5 under *XEN* on Rent PBX x
x FreePBX Version = 2.11.0.38 x
x Running Asterisk Version = 11.10.2 x
x Asterisk Source Version = 11.10.2 x
x Dahdi Source Version = 2.9.1.1 x
x Libpri Source Version = 1.4.15 x
x IP Address = MY IP on eth0 x
x Operating System = Scientific Linux release 6.5 x
x Kernel Version = 2.6.32-431.5.1.el6.i686 - 32 Bit x
x Incredible Version = 11.10 x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj


Running Script #1 returns:

Setting up Update Process
No Packages marked for Update
BASH update missing. Try again later.


Running script #2 returns:
Setting up Update Process
No Packages marked for Update
BASH #2 vulnerability resolved.
running the test command: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
returns:

vulnerable
this is a test

This is even after I reboot.
What should I do/change?
Andrew

 

[wardmundy]

Sounds like a yum problem. Did you see this post??

 

[AndyInNYC]

I saw that post; however, my error is quite different - I'm simply being told that bash isn't available. The original post indicates, essentially, an error condition.

No response yet (over the weekend) from RentPBX.

 

[AndyInNYC]

For whatever reason, without further intervention, the command line test passes.

Andrew

 

[wardmundy]

Just to reiterate that the entire BASH fiasco should be academic to those using Incredible PBX or PIAF with Travelin' Man 3. Port 80 should never be exposed to the Internet, and your root password obviously should be secure. If those two prerequisites are met, then any BASH vulnerability really doesn't much matter.

 

[rentpbx]

AndyInNYC, you may want to clean the yum cache. Try yum clean all. Then you can retry the yum update -y bash. If this still fail, please file a ticket and if you can give us access to your box, we would be more than happy to help you.

 

[wardmundy]

Here's the latest news update on Shellshock.

 

[steven]

The patches don't appear to work on RasPBX running on a BeagleBone Black because Ubuntu is no longer supporting Raring as of July and the repos have been moved to the old-versions server (which don't have the patch available that I can see). Is there a newer version of RasPBX that I can install or some other way I can get the patch without having to build bash from source?

Thanks as always Ward for being on the ball!

 

[wardmundy]

steven is correct. BeagleBone Black build of RasPBX (not our product) is using an older version of Ubuntu which is no longer supported. I've compiled all available BASH fixes into a new version of BASH, but the SegFault test still flunks. 4 out of 5 tests pass with this update. We'll keep checking.

cd /bin
cp bash bash.old
cd /root
wget http://incrediblepbx.com/bash-bbb.tar.gz
tar zxvf bash-bbb.tar.gz
rm bash-bbb.tar.gz
cp -f bash /bin/bash

Special thanks to Steve Jenkins for documenting the compile process and also providing the 5 BASH tests for all known vulnerabilities.

In light of Ubuntu's move of these repos, you probably should also update /etc/apt/sources.list and then apt-get update:

deb http://old-releases.ubuntu.com/ubuntu/ raring main universe multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ raring main universe multiverse
 
deb http://old-releases.ubuntu.com/ubuntu/ raring-updates main universe multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ raring-updates main universe multiverse

 

[steven]

steven is correct. BeagleBone Black build of RasPBX (not our product) is using an older version of Ubuntu which is no longer supported. I've compiled all available BASH fixes into a new version of BASH, but the SegFault test still flunks. 4 out of 5 tests pass with this update. We'll keep checking.

cd /bin
cp bash bash.old
cd /root
wget http://incrediblepbx.com/bash-bbb.tar.gz
tar zxvf bash-bbb.tar.gz
rm bash-bbb.tar.gz
cp -f bash /bin/bash

Special thanks to Steve Jenkins for documenting the compile process and also providing the 5 BASH tests for all known vulnerabilities.

In light of Ubuntu's move of these repos, you probably should also update /etc/apt/sources.list and then apt-get update:

deb http://old-releases.ubuntu.com/ubuntu/ raring main universe multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ raring main universe multiverse
 
deb http://old-releases.ubuntu.com/ubuntu/ raring-updates main universe multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ raring-updates main universe multiverse

Done and done, thanks! It's really too bad that the project has been neglected as long as it has been - the BBB is a very capable device and has been handling all of my VoIP needs quite nicely at next to zero power usage. For now this will have to do - I can verify that it does patch all but the segfault problem. In theory you should only have SIP ports forwarded to the box with a certain range of trusted IPs with Travellin' Man anyway.....

 

[Ramblin]

steven is correct. BeagleBone Black build of RasPBX (not our product) is using an older version of Ubuntu which is no longer supported. I've compiled all available BASH fixes into a new version of BASH, but the SegFault test still flunks. 4 out of 5 tests pass with this update. We'll keep checking.

cd /bin
cp bash bash.old
cd /root
wget http://incrediblepbx.com/bash-bbb.tar.gz
tar zxvf bash-bbb.tar.gz
rm bash-bbb.tar.gz
cp -f bash /bin/bash

Special thanks to Steve Jenkins for documenting the compile process and also providing the 5 BASH tests for all known vulnerabilities.

I ran the 7 commands shown above on my (old) version of PBXiaf and when I then tried to ruyn
update-fixes
I got an error message
Exec format error: /bin/sh

I wondered if I had somehow disabled bash so tried a bash script I had written and it executed fine.

I then tried update-programs just to test and got the same error message

My system is
┌───────────────────SYSTEM INFORMATION *VERIFIED*─────────────────────┐
│ Asterisk = ONLINE | Dahdi = ONLINE | MySQL = ONLINE │
│ SSH = ONLINE | Apache = ONLINE | Iptables = ONLINE │
│ Fail2ban = ONLINE | Internet = ONLINE | Ip6Tables = ONLINE │
│ Disk Free = ADEQUATE| Mem Free = CRITICAL| NTPD = ONLINE │
│ SendMail = ONLINE | Samba = OFFLINE | Webmin = ONLINE │
│ Ethernet0 = ONLINE | Ethernet1 = N/A | Wlan0 = N/A │
│ │
│ PIAF Installed Version = 2.0.6.2 under *HARDWARE* │
│ FreePBX Version = 2.9.0.14 │
│ Running Asterisk Version = 1.8.22.0 │
│ Asterisk Source Version = 1.8.22.0 │
│ Dahdi Source Version = 2.6.2 │
│ Libpri Source Version = 1.4.12 │
│ IP Address = 192.168.1.225 on eth0 │
│ Operating System = CentOS release 6.2 (Final) │
│ Kernel Version = 2.6.32-220.13.1.el6.i686 - 32 Bit

Any ideas how I re-enable update-fixes?

R