Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

Hello,

Seems like the fix is not complete and there's still security issues with bash

 

I have written a short guide with instructions on how to determine what Bash version you are running and what CentOS version is installed so you can compare the data with the affected versions and patch if needed:

[Removed]

However, as PascM pointed out even patched versions are partially affected from what I've read, so we will have to update Bash again.

I think Mac users are most affected. Apple is spending less on security research than most of the big tech companies (compared to Google or MSFT)

 

There is a useful test you can carry out after the patch is applied mentioned here: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

 

ShellShock Bug

Has anyone got any information on it yet, Apart from the blog posts flying about.

A vulnerability in the linux Bash shell may allow for an attacker to execute code on a server and open the door to other attacks taking place that could lead to the server becoming fully compromised.

Many security experts are calling this bug “bigger than Heartbleed” and it’s important that system administrators patch vulnerable systems as soon as possible.

Affected distributions include:

Red Hat Enterprise Linux (versions 4 through 7)
Fedora
CentOS (versions 5 through 7)
CloudLinux
Debian

 

Re: ShellShock Bug

More info/links at https://www.webhostingtalk.com/showthread.php?t=1414839

 

Will this update be done automatically by cPanel nightly updates?

 

Re: ShellShock Bug

If a vulnerable server does not have a public IP but is connected to a network which can be accessed by the Internet, can the vulnerable server still be reached by a worm? I read reports this bug is wormable and can get behind firewalls and what not. If that's the case then surely nothing is safe until the bash bug is fixed?!

 

It looks like someone is mass scanning for /cgi-sys/defaultwebpage.cgi , i've seen it in my logs too.

Here is my question: /cgi-sys/defaultwebpage.cgi in cpanel is vulnerable or not?

A lot of blogs are reporting it as vulnerable:

but on the same blogs i see a comment from someone supposedly from CPanel saying the file is not vulnerable:

Where is the truth?

 

Securi has posted an update today specifically focusing on cPanel exploitability on unpatched systems. Thought it worth adding to the thread.

Website Security - Bash "Shell Shock" Vulnerability Impacts CPANEL Users | Sucuri Blog

 

I also tested /cgi-sys/defaultwebpage.cgi and did not find it vulnerable.

In addition to updating bash on my systems, I have implemented the modsecurity rules recommended by redhat and find them to be effective.

https://access.redhat.com/articles/1200223

 

I'm running centos 5.10 & bash-3.2-33.el5.1 and performed the env x test and it says I'm not vulnerable. I am 'not' running mod_security, are there any other ways to mitigate CVE-2014-7169 and when do we expect a patch for that one? They say access complexity is high for that CVE so maybe I shouldn't worry since I'm patched for CVE-2014-6271

I'm running mod_suphp, disabled shell access, disabled c compiler access, disabled php functions so hopefully that helps mitigate it as well based on the sucuri article. Thoughts?

 

I read all the articles in this thread. I did the env x='() { :;}; echo vulnerable' bash -c "echo this is a test" test based on the redhat article. My question is since I don't have mod_security, are there any other mitigation strategies I can use for CVE-2014-716 (which is the new CVE) with high access complexity since CVE-2014-6271 was a partial fix?

 

redhat released the fix for CVE-2014-716

https://rhn.redhat.com/errata/RHSA-2014-1306.html

How long does it usually take CentOS to release it?

 

Re: cPanel Security Team: Bash CVE-2014-6217 and CVE-2014-7169

Hello,

I have one question "cPanelCory "

please clear me if I wrong. In cpanel server run upcp every day via cron job,so this update will not done in upcp.


Thanks