ALERT BASH Security Vulnerability

Discussion in 'Bug Reporting and Fixes' started by wardmundy, Sep 25, 2014.

  1. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,432
    Likes Received:
    2,450
    An incredibly serious security vulnerability has been discovered in BASH. It affects ALL Linux servers! You can read about it here.

    Also affects Mac OS X machines. No shellshock patch yet available from Apple. Do-it-yourself patch here.

    Patch for Incredible PBX systems already pushed out. Just log out and back in as root.

    Everyone is urged to immediately patch your server(s) by downloading and running the following script to update BASH:
    Code:
    cd /root
    wget http://incrediblepbx.com/bash-fix.tar.gz
    tar zxvf bash-fix.tar.gz
    rm -f bash-fix.tar.gz
    ./bash-fix
    
     
    mbellot and Chris Sweeney like this.
  2. Trimline2

    Trimline2 Guru

    Joined:
    May 23, 2013
    Messages:
    525
    Likes Received:
    95
    Ward:

    Ran as directed and the job output was:

    Complete!
    bash: warning: badvar: ignoring function definition attempt
    bash: error importing function definition for `badvar'
    BASH vulnerability resolved.


    Hope this is expected.
     
  3. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,432
    Likes Received:
    2,450
    Trimline2: Yep. That means it couldn't run the circumvention attempt... a good thing.

    You can run it again just to be sure. :)
     
    Chris Sweeney likes this.
  4. Chris Sweeney

    Joined:
    May 23, 2013
    Messages:
    223
    Likes Received:
    28
    I just love patching servers in the morning :), FYI ClearOS doesn't seem to have posted a patch yet!
     
    wardmundy likes this.
  5. sko001

    sko001 Member

    Joined:
    Jun 3, 2013
    Messages:
    52
    Likes Received:
    8
    Had the same problem and retrying does not solve the issue. The error remains. Also tried a server reboot, but still the same.
     
  6. Chris Sweeney

    Joined:
    May 23, 2013
    Messages:
    223
    Likes Received:
    28

    What error remains?
     
  7. sko001

    sko001 Member

    Joined:
    Jun 3, 2013
    Messages:
    52
    Likes Received:
    8
    Actually ignore previous message, message is "BASH vulnerability not found"
     
  8. Chris Sweeney

    Joined:
    May 23, 2013
    Messages:
    223
    Likes Received:
    28

    :oops:
     
    sko001 likes this.
  9. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,432
    Likes Received:
    2,450
    Patches for all flavors of Incredible PBX have been pushed out. Will be updated the next time you log in as root.

    update-fixes will follow tonight or just download and run the patch yourself.
     
    tycho and Chris Sweeney like this.
  10. MacNix

    MacNix Guru

    Joined:
    Jun 21, 2011
    Messages:
    197
    Likes Received:
    30
    I just got the alert from RentPBX..

    Ran their recommended yum, ("For those who use Centos, please run yum update -y bash.") and got this response:

    [email protected]:~ $ yum update -y bash
    Loaded plugins: fastestmirror, refresh-packagekit, security
    Repository schmooze-commercial is listed more than once in the configuration
    Determining fastest mirrors
    Error: Cannot find a valid baseurl for repo: schmooze-commercial
    [email protected]:~ $​



    Ran Ward's patch and got this:

    Checking for BASH vulnerability...
    BASH has a problem. Attempting to update...
    Loaded plugins: fastestmirror, refresh-packagekit, security
    Repository schmooze-commercial is listed more than once in the configuration
    Determining fastest mirrors
    Error: Cannot find a valid baseurl for repo: schmooze-commercial
    BASH update missing. Try again later.
    [email protected]:~ $​


    recommendations??
     
  11. tycho

    tycho Guru (not...)

    Joined:
    Aug 9, 2011
    Messages:
    583
    Likes Received:
    223

    Will the patch work on "plain" PIAF installations as well, or only on Incredible PBX, (which I -- correctly or mistakenly -- view as a distinct superset of PIAF)?
     
  12. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,432
    Likes Received:
    2,450

    Works fine on PIAF and Incredible PBX. Should work fine on almost any Linux server.
     
    tycho likes this.
  13. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,432
    Likes Received:
    2,450


    grep "\[schmooze-commercial\]" /etc/yum.repos.d/*

    and get rid of the duplicate

    Then you may also have to edit the file with the schmooze-commercial repo and set enabled = 0

    Then try again.
     
  14. MacNix

    MacNix Guru

    Joined:
    Jun 21, 2011
    Messages:
    197
    Likes Received:
    30
    just got this back from the folks at RentPBX...

    try this: yum update --disablerepo=schmooze-commercial bash

    You can now test if your bash still vulnerable using this command

    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"​



    I ran it, then did the test:

    [email protected]:~ $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    this is a test​

    would you say this is a completed patch, with that response?
     
  15. Trimline2

    Trimline2 Guru

    Joined:
    May 23, 2013
    Messages:
    525
    Likes Received:
    95
    Fired up another one of my Centos 6.5 PBX standby boxes. At the bottom of the article here http://arstechnica.com/security/201...big-security-hole-on-anything-with-nix-in-it/ there is a way to determine the vulnerability of your system.

    I entered the command: env x='() { :;}; echo vulnerable' bash -c "echo this is a test" prior to Ward's patch.

    [email protected]:~ $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    vulnerable
    this is a test

    Ran Ward's patch and reran the command

    [email protected]:~ $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    this is a test

    Again, thanks Ward!
     
    Robert-BCC likes this.
  16. Trimline2

    Trimline2 Guru

    Joined:
    May 23, 2013
    Messages:
    525
    Likes Received:
    95
    You are good to go. The patch has been applied.
     
    MacNix likes this.
  17. Rrrr

    Rrrr Guru

    Joined:
    May 28, 2009
    Messages:
    319
    Likes Received:
    22
    On RentPBX Incredible PBX with ubuntu 14.4
    I ran Wards #1 post, but I get :
    and
    After installing yum
    and
    What should I do next?


    EDIT;

    Reboot showed that:
    Checking whether update-ubuntu1414 is installed. INSTALLED: BASH Vulnerability Patched
     
  18. Trimline2

    Trimline2 Guru

    Joined:
    May 23, 2013
    Messages:
    525
    Likes Received:
    95
    Looks like your first job quoted fixed your issue. BASH vulnerability not found is indicative that the patch was applied the first time.

    You can verify by entering env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

    The results should look like:

    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    this is a test
     
    Rrrr likes this.
  19. Chris Sweeney

    Joined:
    May 23, 2013
    Messages:
    223
    Likes Received:
    28
    ClearOS update is finally released to the repos' now as well.
     
  20. snarpatroid

    Joined:
    May 22, 2013
    Messages:
    299
    Likes Received:
    43
    Thanks for the advice on my other thread Trimline2 I've removed that thread as a duplicate since I didn't see this one.

    wardmundy I went the whole hog on my Pi and ran
    Code:
    sudo apt-get update && sudo apt-get -y dist-upgrade
    
    The vulnerability test code shows it appears fixed, is there any benefit in me running the patch as well? I gather from different online sources that some fixes aren't totally complete fixes.

    Boy didn't this one come out the blue too! Remember the Heartbleed panic anyone?
     
    wardmundy likes this.