Bash Code Injection Vulnerability CVE-2014-6271 : workarounds other than patching

Posted on 2014-09-25
Last Modified: 2014-10-04
Referring to :
"The Bash Code Injection Vulnerability CVE-2014-6271 could allow for arbitrary code execution, allowing an attacker to bypass imposed environment restrictions"

The bugzilla link above indicates quite a number of issues do not affect RHEL 5.x & 6.x
other than a few listed on the top of the page.  Are all the issues related to CVE-2014-6271
or only the first one listed on the very top?

If we don't use Bash, does this mean we are not vulnerable?  Thought this will be
quick workaround.

Does the patches in the above link change the version/sub-version of the RHEL?
I'm concerned the patches may break applications but judging from what the
patches do (extracted below from the above link), looks like only a handful of
products are affected, so can I safely assume that as long as these packages
are not used in my environment, I'm quite safe?

Package      Description
httpd      CGI scripts are likely affected by this issue: when a CGI script is run by the web server, it uses environment variables to pass data to the script. These environment variables can be controlled by the attacker. If the CGI script calls Bash, the script could execute arbitrary code as the httpd user. mod_php, mod_perl, and mod_python do not use environment variables and we believe they are not affected.
Secure Shell (SSH)      It is not uncommon to restrict remote commands that a user can run via SSH, such as rsync or git. In these instances, this issue can be used to execute any command, not just the restricted command.
dhclient      The Dynamic Host Configuration Protocol Client (dhclient) is used to automatically obtain network configuration information via DHCP. This client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the client machine.
CUPS      It is believed that CUPS is affected by this issue. Various user supplied values are stored in environment variables when cups filters are executed.
sudo      Commands run via sudo are not affected by this issue. Sudo specifically looks for environment variables that are also functions. It could still be possible for the running command to set an environment variable that could cause a Bash child process to execute arbitrary code.
Firefox      We do not believe Firefox can be forced to set an environment variable in a manner that would allow Bash to run arbitrary commands. It is still advisable to upgrade Bash as it is common to install various plug-ins and extensions that could allow this behavior.
Postfix      The Postfix server will replace various characters with a ?. While the Postfix server does call Bash in a variety of ways, we do not believe an arbitrary environment variable can be set by the server. It is however possible that a filter could set environment variables.
Question by:sunhux
LVL 34

Accepted Solution

Seth Simmons earned 84 total points
ID: 40344320
Are all the issues related to CVE-2014-6271 or only the first one listed on the very top?

not sure if i understand the question
if you are referring to all the comments posted, as stated at the bottom (comments from today) this is bash-only and doesn't apply to other shells

If we don't use Bash, does this mean we are not vulnerable?

it lowers the chance of being exploited but does not eliminate it
some applications or installer scripts could still use it

Does the patches in the above link change the version/sub-version of the RHEL?

no, only the version of bash
going forward, newer minor and major revisions of RHEL will include this patch but the patch itself does not constitute a new RHEL version.  usually with a newer RHEL version there are updates to the kernel, numerous packages and often feature enhancements.  this is just a patch
LVL 28

Expert Comment

by:Jan Springer
ID: 40344325
CentOS is essentiall RHEL.  Try a "yum check-update" and see if your distribution has an update available.  

CentOS and Ubuntu did this morning.
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 167 total points
ID: 40344331
And you also have the option of downloading bash from source, applying the patches and installing it.

You can test it by renaming the newly compiled "bash" binary to something like "bash-alt" and testing it with a non-priv account.

Author Comment

ID: 40344385
I can't do yum as our VMs are not connected to Internet.

Perhaps one way to find out is to rename the bash binary in our
RHEL & SuSE & see if anything breaks: we can always reverse
back quickly by renaming it back.  Does this make sense?

Is ESXi (for vSphere V5.0) affected?  I read in one site that VMware is still
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 167 total points
ID: 40344410
Your other option is to change the shell used by CGIs to "sh" (accounting for any syntax changes needed).

But yes, you are correct.
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

LVL 61

Assisted Solution

gheist earned 166 total points
ID: 40344452
A1: vulnerability is "remote" when you have bash script (one starting with #!/bin/bash in cgi directories
A2: see the first question - you can still keep BASH as your shell.
A3: no, redhat version is in package redhat-release, you can downgrade that to whichever version you want to see. It is a one-file package.

If you have ELS/EUS support from redhat then make sure you re-subscribe your systems to hefty ELS/EUS channels via RHN register. For poor people and chary organisations it is either yum upgrade --security, or quick conversion to CentOS or oracle linux stains.
LVL 28

Expert Comment

by:Jan Springer
ID: 40344507
I wouldn't refer to the non-RHEL customers "poor" or "charitable".

I've been down the licensed support path with many operating systems to include RHEL.

It was definitely not worth the money.
LVL 61

Expert Comment

ID: 40344634
I just try to imagine the long leap RH customer took to report this bug...
I was more about customers who live with standard package as opposed to 4x more expensive EUS (like onec claiming running RHEL 4.3 forever)

Assisted Solution

patron earned 83 total points
ID: 40345952
it will impact ESX and  and vMa only,not applicable for ESXi.
LVL 61

Assisted Solution

gheist earned 166 total points
ID: 40345963

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the fileā€¦
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now