Security RHEL Bash Code Injection Vulnerability via Specially Crafted Environment Variables

Matt

Owner
Not out of the woods yet!

http://us3.campaign-archive2.com/?u=722bc323a024d15a407baae81&id=af55e39aa1&e=ce439208f7

Bash
Urgent Action Required
We have both been made aware of some malware being spread via this vulnerability and we have seen another variant our self on our own IDS.

Please ensure you are upgraded or have taken other measures to prevent exploitation.

Also be aware that vendors such as redhat are working on a potential patch for the incomplete patch so you may need to upgrade twice.

https://bugzilla.redhat.com/show_bug.cgi?id=1146319#c11

Evidence of active exploitation:
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505#p23987
 

Matt

Owner
Updated bash packages that address CVE-2014-7169 are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat is working on updates for Shift_JIS, Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 Extended Update Support as a critical priority. See also Resolution for Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169) in Red Hat Enterprise Linux.
https://access.redhat.com/articles/1200223

A further update has been released to address the second issue found
 

André Linoge

Customer
I think it should be said, that after updating 'Bash' you need to reboot. It is one of the few updates that require it. This is because 'Bash' and other applications that depend on 'Bash' load into memory. Without rebooting not everything will unload from memory and you will get some errors.

I have been reading up on a lot of admins who were smart enough to update, but neglected to reboot and could not understand what the problem was.
 

Matt

Owner
I think it should be said, that after updating 'Bash' you need to reboot. It is one of the few updates that require it. This is because 'Bash' and other applications that depend on 'Bash' load into memory. Without rebooting not everything will unload from memory and you will get some errors.

I have been reading up on a lot of admins who were smart enough to update, but neglected to reboot and could not understand what the problem was.
Not according to RedHat
https://access.redhat.com/solutions/1207723

There was mention early on about rebooting or running ldconfig, but neither of those is needed
 

André Linoge

Customer
Not according to RedHat
https://access.redhat.com/solutions/1207723

There was mention early on about rebooting or running ldconfig, but neither of those is needed
I would disagree with Redhat based upon experience and what is being said on webhostingtalk.com

A lot of sites I have been visiting have had random errors. When inquiring if they had recently updated 'Bash' (they said, yes), it was suggested they reboot. Upon doing so (rebooting) it corrected itself and no errors repeated.

This was my experience with my site as well (Ubuntu in my case).
 

Matt

Owner
Code:
[root@host nginx]# rpm -q --changelog bash | less
* Thu Sep 25 2014 Ondrej Oprala <ooprala@redhat.com> - 4.1.2-15.2
- CVE-2014-7169
  Resolves: #1146322

* Mon Sep 15 2014 Ondrej Oprala <ooprala@redhat.com - 4.1.2-15.1
- Check for fishy environment
  Resolves: #1141645
https://access.redhat.com/articles/1200223

The additional fix is listed in the above article, along with the extended check command to run

Code:
env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
A secure system should return the following
Code:
# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test
upload_2014-9-27_16-15-53.png

Code:
# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory
upload_2014-9-27_16-16-57.png

The output in code brackets are from my live server
Code:
# uptime
17:17:02 up 34 days, 11:04,  1 user,  load average: 0.04, 0.06, 0.07
 

Matt

Owner
and my debian server
Code:
root@debian:/var/log/nginx# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test
root@debian:/var/log/nginx# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory
root@debian:/tmp#
Code:
# uptime
16:19:05 up 125 days, 21:00,  1 user,  load average: 0.07, 0.06, 0.05
 

André Linoge

Customer
and my debian server
Code:
root@debian:/var/log/nginx# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test
root@debian:/var/log/nginx# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory
root@debian:/tmp#
Code:
# uptime
16:19:05 up 125 days, 21:00,  1 user,  load average: 0.07, 0.06, 0.05
Same here :)

PHP:
# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test
# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory
/tmp#
:D
 

Matt

Owner
I'm also subscribed to the same thread on WHT, and it's the earlier posts which suggest a reboot is required (as thats is what RHEL originally suggestion, but removed the statement as the information progressed), you should only need to reboot a linux server to bring a in new kernel.
 

André Linoge

Customer
I'm also subscribed to the same thread on WHT, and it's the earlier posts which suggest a reboot is required (as thats is what RHEL originally suggestion, but removed the statement as the information progressed), you should only need to reboot a linux server to bring a in new kernel.
What I do know is without rebooting, I experienced errors on my site and others that I visit. So I can only speak from what I have witnessed so far.

Rebooting is not a big deal. Takes all of 2 minutes (less).
 

Matt

Owner
Can't say I've experienced anything out of the ordinary with any of the sites on the servers I manage for people since upgrading bash.
 
Top