Security RHEL Bash Code Injection Vulnerability via Specially Crafted Environment Variables

Matt · Sep 24, 2014

http://www.webhostingtalk.com/showthread.php?t=1414839

https://access.redhat.com/solutions/1207723 shows the latest bash version.

For people who I manage their servers, I've already updated bash for you.

For anyone else, you can update bash by doing the following
CENTOS

Code:

yum update bash -y

DEBIAN

Code:

apt-get update
apt-get upgrade

Samuel · Sep 24, 2014

Cheers Matt!

Jeffin · Sep 24, 2014

Thank you Matt.

André Linoge · Sep 24, 2014

Thank you @Matt. Updated and rebooted without issue

Matt · Sep 25, 2014

Not out of the woods yet!

http://us3.campaign-archive2.com/?u=722bc323a024d15a407baae81&id=af55e39aa1&e=ce439208f7

Bash
Urgent Action Required
We have both been made aware of some malware being spread via this vulnerability and we have seen another variant our self on our own IDS.

Please ensure you are upgraded or have taken other measures to prevent exploitation.

Also be aware that vendors such as redhat are working on a potential patch for the incomplete patch so you may need to upgrade twice.

https://bugzilla.redhat.com/show_bug.cgi?id=1146319#c11

Evidence of active exploitation:
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505#p23987

Matt · Sep 26, 2014

Updated bash packages that address CVE-2014-7169 are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat is working on updates for Shift_JIS, Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 Extended Update Support as a critical priority. See also Resolution for Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169) in Red Hat Enterprise Linux.

https://access.redhat.com/articles/1200223

A further update has been released to address the second issue found

André Linoge · Sep 26, 2014

Matt said:
https://access.redhat.com/articles/1200223

A further update has been released to address the second issue found

Thank you

André Linoge · Sep 27, 2014

I think it should be said, that after updating 'Bash' you need to reboot. It is one of the few updates that require it. This is because 'Bash' and other applications that depend on 'Bash' load into memory. Without rebooting not everything will unload from memory and you will get some errors.

I have been reading up on a lot of admins who were smart enough to update, but neglected to reboot and could not understand what the problem was.

Matt · Sep 27, 2014

André Linoge said:
I think it should be said, that after updating 'Bash' you need to reboot. It is one of the few updates that require it. This is because 'Bash' and other applications that depend on 'Bash' load into memory. Without rebooting not everything will unload from memory and you will get some errors.

I have been reading up on a lot of admins who were smart enough to update, but neglected to reboot and could not understand what the problem was.

Not according to RedHat
https://access.redhat.com/solutions/1207723

There was mention early on about rebooting or running ldconfig, but neither of those is needed

André Linoge · Sep 27, 2014

Matt said:
Not according to RedHat
https://access.redhat.com/solutions/1207723

There was mention early on about rebooting or running ldconfig, but neither of those is needed

I would disagree with Redhat based upon experience and what is being said on webhostingtalk.com

A lot of sites I have been visiting have had random errors. When inquiring if they had recently updated 'Bash' (they said, yes), it was suggested they reboot. Upon doing so (rebooting) it corrected itself and no errors repeated.

This was my experience with my site as well (Ubuntu in my case).

Matt · Sep 27, 2014

Code:

[root@host nginx]# rpm -q --changelog bash | less
* Thu Sep 25 2014 Ondrej Oprala <[email protected]> - 4.1.2-15.2
- CVE-2014-7169
  Resolves: #1146322

* Mon Sep 15 2014 Ondrej Oprala <[email protected] - 4.1.2-15.1
- Check for fishy environment
  Resolves: #1141645

https://access.redhat.com/articles/1200223

The additional fix is listed in the above article, along with the extended check command to run

Code:

env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

A secure system should return the following

Code:

# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test

Code:

# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory

The output in code brackets are from my live server

Code:

# uptime
17:17:02 up 34 days, 11:04,  1 user,  load average: 0.04, 0.06, 0.07

Matt · Sep 27, 2014

and my debian server

Code:

root@debian:/var/log/nginx# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test
root@debian:/var/log/nginx# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory
root@debian:/tmp#

Code:

# uptime
16:19:05 up 125 days, 21:00,  1 user,  load average: 0.07, 0.06, 0.05

André Linoge · Sep 27, 2014

Matt said:

and my debian server

Code:

root@debian:/var/log/nginx# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test
root@debian:/var/log/nginx# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory
root@debian:/tmp#

Code:

# uptime
16:19:05 up 125 days, 21:00,  1 user,  load average: 0.07, 0.06, 0.05

Same here

PHP:

# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test
# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory
/tmp#

Matt · Sep 27, 2014

I'm also subscribed to the same thread on WHT, and it's the earlier posts which suggest a reboot is required (as thats is what RHEL originally suggestion, but removed the statement as the information progressed), you should only need to reboot a linux server to bring a in new kernel.

André Linoge · Sep 27, 2014

Matt said:
I'm also subscribed to the same thread on WHT, and it's the earlier posts which suggest a reboot is required (as thats is what RHEL originally suggestion, but removed the statement as the information progressed), you should only need to reboot a linux server to bring a in new kernel.

What I do know is without rebooting, I experienced errors on my site and others that I visit. So I can only speak from what I have witnessed so far.

Rebooting is not a big deal. Takes all of 2 minutes (less).

Matt · Sep 27, 2014

Can't say I've experienced anything out of the ordinary with any of the sites on the servers I manage for people since upgrading bash.

Matt · Sep 27, 2014

You've got my interest now. What sort of errors were you seeing?

Security RHEL Bash Code Injection Vulnerability via Specially Crafted Environment Variables

Matt

Samuel

Jeffin

André Linoge

Matt

Matt

André Linoge

André Linoge

Matt

André Linoge

Matt

Matt

André Linoge

Matt

André Linoge

Matt

Matt

Similar threads

Shared Hosting

VPS Hosting

Server Management