Bash Code Injection Vulnerability CVE-2014-6271 : workarounds other than patching

Posted on 2014-09-25
Last Modified: 2014-10-04
Referring to :
"The Bash Code Injection Vulnerability CVE-2014-6271 could allow for arbitrary code execution, allowing an attacker to bypass imposed environment restrictions"

The bugzilla link above indicates quite a number of issues do not affect RHEL 5.x & 6.x
other than a few listed on the top of the page.  Are all the issues related to CVE-2014-6271
or only the first one listed on the very top?

If we don't use Bash, does this mean we are not vulnerable?  Thought this will be
quick workaround.

Does the patches in the above link change the version/sub-version of the RHEL?
I'm concerned the patches may break applications but judging from what the
patches do (extracted below from the above link), looks like only a handful of
products are affected, so can I safely assume that as long as these packages
are not used in my environment, I'm quite safe?

Package      Description
httpd      CGI scripts are likely affected by this issue: when a CGI script is run by the web server, it uses environment variables to pass data to the script. These environment variables can be controlled by the attacker. If the CGI script calls Bash, the script could execute arbitrary code as the httpd user. mod_php, mod_perl, and mod_python do not use environment variables and we believe they are not affected.
Secure Shell (SSH)      It is not uncommon to restrict remote commands that a user can run via SSH, such as rsync or git. In these instances, this issue can be used to execute any command, not just the restricted command.
dhclient      The Dynamic Host Configuration Protocol Client (dhclient) is used to automatically obtain network configuration information via DHCP. This client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the client machine.
CUPS      It is believed that CUPS is affected by this issue. Various user supplied values are stored in environment variables when cups filters are executed.
sudo      Commands run via sudo are not affected by this issue. Sudo specifically looks for environment variables that are also functions. It could still be possible for the running command to set an environment variable that could cause a Bash child process to execute arbitrary code.
Firefox      We do not believe Firefox can be forced to set an environment variable in a manner that would allow Bash to run arbitrary commands. It is still advisable to upgrade Bash as it is common to install various plug-ins and extensions that could allow this behavior.
Postfix      The Postfix server will replace various characters with a ?. While the Postfix server does call Bash in a variety of ways, we do not believe an arbitrary environment variable can be set by the server. It is however possible that a filter could set environment variables.
Question by:sunhux
LVL 34

Accepted Solution

Seth Simmons earned 84 total points
ID: 40344320
Are all the issues related to CVE-2014-6271 or only the first one listed on the very top?

not sure if i understand the question
if you are referring to all the comments posted, as stated at the bottom (comments from today) this is bash-only and doesn't apply to other shells

If we don't use Bash, does this mean we are not vulnerable?

it lowers the chance of being exploited but does not eliminate it
some applications or installer scripts could still use it

Does the patches in the above link change the version/sub-version of the RHEL?

no, only the version of bash
going forward, newer minor and major revisions of RHEL will include this patch but the patch itself does not constitute a new RHEL version.  usually with a newer RHEL version there are updates to the kernel, numerous packages and often feature enhancements.  this is just a patch
LVL 28

Expert Comment

by:Jan Springer
ID: 40344325
CentOS is essentiall RHEL.  Try a "yum check-update" and see if your distribution has an update available.  

CentOS and Ubuntu did this morning.
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 167 total points
ID: 40344331
And you also have the option of downloading bash from source, applying the patches and installing it.

You can test it by renaming the newly compiled "bash" binary to something like "bash-alt" and testing it with a non-priv account.

Author Comment

ID: 40344385
I can't do yum as our VMs are not connected to Internet.

Perhaps one way to find out is to rename the bash binary in our
RHEL & SuSE & see if anything breaks: we can always reverse
back quickly by renaming it back.  Does this make sense?

Is ESXi (for vSphere V5.0) affected?  I read in one site that VMware is still
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 167 total points
ID: 40344410
Your other option is to change the shell used by CGIs to "sh" (accounting for any syntax changes needed).

But yes, you are correct.
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

LVL 61

Assisted Solution

gheist earned 166 total points
ID: 40344452
A1: vulnerability is "remote" when you have bash script (one starting with #!/bin/bash in cgi directories
A2: see the first question - you can still keep BASH as your shell.
A3: no, redhat version is in package redhat-release, you can downgrade that to whichever version you want to see. It is a one-file package.

If you have ELS/EUS support from redhat then make sure you re-subscribe your systems to hefty ELS/EUS channels via RHN register. For poor people and chary organisations it is either yum upgrade --security, or quick conversion to CentOS or oracle linux stains.
LVL 28

Expert Comment

by:Jan Springer
ID: 40344507
I wouldn't refer to the non-RHEL customers "poor" or "charitable".

I've been down the licensed support path with many operating systems to include RHEL.

It was definitely not worth the money.
LVL 61

Expert Comment

ID: 40344634
I just try to imagine the long leap RH customer took to report this bug...
I was more about customers who live with standard package as opposed to 4x more expensive EUS (like onec claiming running RHEL 4.3 forever)

Assisted Solution

patron earned 83 total points
ID: 40345952
it will impact ESX and  and vMa only,not applicable for ESXi.
LVL 61

Assisted Solution

gheist earned 166 total points
ID: 40345963

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now