ALERT BASH Security Vulnerability

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
An incredibly serious security vulnerability has been discovered in BASH. It affects ALL Linux servers! You can read about it here.

Also affects Mac OS X machines. No shellshock patch yet available from Apple. Do-it-yourself patch here.

Patch for Incredible PBX systems already pushed out. Just log out and back in as root.

Everyone is urged to immediately patch your server(s) by downloading and running the following script to update BASH:
Code:
cd /root
wget http://incrediblepbx.com/bash-fix.tar.gz
tar zxvf bash-fix.tar.gz
rm -f bash-fix.tar.gz
./bash-fix
 

Trimline2

Guru
Joined
May 23, 2013
Messages
524
Reaction score
96
Ward:

Ran as directed and the job output was:

Complete!
bash: warning: badvar: ignoring function definition attempt
bash: error importing function definition for `badvar'
BASH vulnerability resolved.


Hope this is expected.
 
Joined
May 23, 2013
Messages
223
Reaction score
28
I just love patching servers in the morning :), FYI ClearOS doesn't seem to have posted a patch yet!
 

sko001

Member
Joined
Jun 3, 2013
Messages
52
Reaction score
8
Had the same problem and retrying does not solve the issue. The error remains. Also tried a server reboot, but still the same.
 

sko001

Member
Joined
Jun 3, 2013
Messages
52
Reaction score
8
Actually ignore previous message, message is "BASH vulnerability not found"
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Patches for all flavors of Incredible PBX have been pushed out. Will be updated the next time you log in as root.

update-fixes will follow tonight or just download and run the patch yourself.
 

MacNix

Guru
Joined
Jun 21, 2011
Messages
198
Reaction score
31
I just got the alert from RentPBX..

Ran their recommended yum, ("For those who use Centos, please run yum update -y bash.") and got this response:

root@pbx1:~ $ yum update -y bash
Loaded plugins: fastestmirror, refresh-packagekit, security
Repository schmooze-commercial is listed more than once in the configuration
Determining fastest mirrors
Error: Cannot find a valid baseurl for repo: schmooze-commercial
root@pbx1:~ $​



Ran Ward's patch and got this:
Checking for BASH vulnerability...
BASH has a problem. Attempting to update...
Loaded plugins: fastestmirror, refresh-packagekit, security
Repository schmooze-commercial is listed more than once in the configuration
Determining fastest mirrors
Error: Cannot find a valid baseurl for repo: schmooze-commercial
BASH update missing. Try again later.
root@pbx1:~ $​
recommendations??
 

tycho

Guru (not...)
Joined
Aug 9, 2011
Messages
652
Reaction score
272
Patches for all flavors of Incredible PBX have been pushed out. Will be updated the next time you log in as root.

update-fixes will follow tonight or just download and run the patch yourself.


Will the patch work on "plain" PIAF installations as well, or only on Incredible PBX, (which I -- correctly or mistakenly -- view as a distinct superset of PIAF)?
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Will the patch work on "plain" PIAF installations as well, or only on Incredible PBX, (which I -- correctly or mistakenly -- view as a distinct superset of PIAF)?


Works fine on PIAF and Incredible PBX. Should work fine on almost any Linux server.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
("For those who use Centos, please run yum update -y bash.") and got this response:

root@pbx1:~ $ yum update -y bash​
Loaded plugins: fastestmirror, refresh-packagekit, security​
Repository schmooze-commercial is listed more than once in the configuration​
Determining fastest mirrors​
Error: Cannot find a valid baseurl for repo: schmooze-commercial​

grep "\[schmooze-commercial\]" /etc/yum.repos.d/*

and get rid of the duplicate

Then you may also have to edit the file with the schmooze-commercial repo and set enabled = 0

Then try again.
 

MacNix

Guru
Joined
Jun 21, 2011
Messages
198
Reaction score
31
just got this back from the folks at RentPBX...

try this: yum update --disablerepo=schmooze-commercial bash

You can now test if your bash still vulnerable using this command

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"​


I ran it, then did the test:

root@pbx1:~ $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test​
would you say this is a completed patch, with that response?
 

Trimline2

Guru
Joined
May 23, 2013
Messages
524
Reaction score
96
Fired up another one of my Centos 6.5 PBX standby boxes. At the bottom of the article here http://arstechnica.com/security/201...big-security-hole-on-anything-with-nix-in-it/ there is a way to determine the vulnerability of your system.

I entered the command: env x='() { :;}; echo vulnerable' bash -c "echo this is a test" prior to Ward's patch.

root@pbx32-2:~ $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

Ran Ward's patch and reran the command

root@pbx32-2:~ $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Again, thanks Ward!
 

Trimline2

Guru
Joined
May 23, 2013
Messages
524
Reaction score
96
just got this back from the folks at RentPBX...

root@pbx1:~ $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"​
bash: warning: x: ignoring function definition attempt​
bash: error importing function definition for `x'​
this is a test​
would you say this is a completed patch, with that response?

You are good to go. The patch has been applied.
 

Rrrr

Tink
Joined
May 28, 2009
Messages
343
Reaction score
25
On RentPBX Incredible PBX with ubuntu 14.4
I ran Wards #1 post, but I get :
root@pbx2:~# ./bash-fix
Checking for BASH vulnerability...
bash: warning: badvar: ignoring function definition attempt
bash: error importing function definition for `badvar'
BASH vulnerability not found.
root@pbx2:~#
and
root@pbx2:/etc/network# yum update --disablerepo=schmooze-commercial bash
The program 'yum' is currently not installed. You can install it by typing:
apt-get install yum
root@pbx2:/etc/network# yum update -y bash
The program 'yum' is currently not installed. You can install it by typing:
apt-get install yum
After installing yum
root@pbx2:~# yum update -y bash
There are no enabled repos.
Run "yum repolist all" to see the repos you have.
You can enable repos with yum-config-manager --enable <repo>
root@pbx2:~# yum update --disablerepo=schmooze-commercial bash

Error getting repository data for schmooze-commercial, repository not found
and
root@pbx2:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
What should I do next?


EDIT;

Reboot showed that:
Checking whether update-ubuntu1414 is installed. INSTALLED: BASH Vulnerability Patched
 

Trimline2

Guru
Joined
May 23, 2013
Messages
524
Reaction score
96
On RentPBX Incredible PBX with ubuntu 14.4
What should I do next?

Looks like your first job quoted fixed your issue. BASH vulnerability not found is indicative that the patch was applied the first time.

You can verify by entering env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

The results should look like:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
 
Joined
May 22, 2013
Messages
301
Reaction score
44
Thanks for the advice on my other thread Trimline2 I've removed that thread as a duplicate since I didn't see this one.

wardmundy I went the whole hog on my Pi and ran
Code:
sudo apt-get update && sudo apt-get -y dist-upgrade

The vulnerability test code shows it appears fixed, is there any benefit in me running the patch as well? I gather from different online sources that some fixes aren't totally complete fixes.

Boy didn't this one come out the blue too! Remember the Heartbleed panic anyone?
 

Members online

No members online now.

Forum statistics

Threads
25,780
Messages
167,506
Members
19,199
Latest member
leocipriano
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top