Solved

Shellshock bug

Posted on 2014-09-26
5
462 Views
Last Modified: 2014-10-17
Hi Guys,

I have a couple of Linux Debian 6.0.2 and I'm trying to update bash.  When I run:

====
apt-get install --only-upgrade bash
====

It comes back saying:

=====
Reading package lists... Done
Building dependency tree
Reading state information... Done
bash is already the newest version.
=====

However when I execute the command to test this Shellshock bug:

=====
env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
=====

It still comes back with:

=====
vulnerable
this is a test
=====

My question is:

1. Is there a patch for bash for Debian 6 at the moment?
2. If not, are there any other precautions I can take to mitigate such an attack?

I've already change the SSH port from the default 22 and have only allowed accesss
to certain IP address.

Please don't tell me I need to upgrade from Debian 6 to 7 for this to work unless this is the only fix.

Many Thanks
0
Comment
Question by:markbenham
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 

Author Comment

by:markbenham
ID: 40345790
Hi Guys,

I may have sorted this problem out on Debian 6 (squeeze).
Here is what I did:

Add these 2 lines into /etc/apt/sources.list

deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

Next I ran:

apt-get update

Follwed by:

apt-get install --only-upgrade bash

Once completed, I executed the command to test the Shellshock bug:

=====
env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
=====

And this this time it came back with:

=====
this is a test
=====

I'm assuming that because it had NOT returned:

=====
vulnerable
this is a test
=====

and Just:

====
this is a test
====

Then this is fine...?

Many thanks.
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 40346167
That looks good, but keep an eye out.  Apparently the initial patch logic is 'incomplete': Internet Storm Center diary update on ShellShock  The article includes a second test... which reports failure, but still writes a file.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 500 total points
ID: 40347153
best to verify as there are couple of exploit revolving ShellShock
Exploit 1 (CVE-2014-6271) - this is test you run as shared (early patch was incomplete)
e.g. env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you see "vulnerable" you need to update bash. Otherwise, you should be good to go.

Exploit 2 (CVE-2014-7169) - here is another
e.g. env X='() { (a)=>\' bash -c "echo date"; cat echo ; rm -f echo
If the above command outputs the current date (it may also show errors), you are still vulnerable.

there is another exploit (e.g. env -i X=' () { }; echo hello' bash -c 'date') mention in https://shellshocker.net/#fix
This third seems to be still active w/o patch.
There is bash patch history stated in a/m link

in case this come handy
http://cloudgames.com/blog/fix-bash-exploit-old-new-releases-ubuntu-apt-get/
How to fix shellshock on old and new Debian versions

For Debian the solution is identical, but you’ll have to update your sources to codename wheezy, which is the latest Debian release code name, instead of trusty. So your search and replace line would become something like this:

sudo sed -i 's/YOUR_OS_CODENAME_HERE/wheezy/g' /etc/apt/sources.list
0
 
LVL 64

Expert Comment

by:btan
ID: 40360738
there has been more related CVE to the Shellshock so check out the latest patch again
- you can check out latest patch based on CVE in https://security-tracker.debian.org/tracker
e.g. https://security-tracker.debian.org/tracker/CVE-2014-7169
- check out the CVE under wiki too http://en.wikipedia.org/wiki/Shellshock_(software_bug)
and the archive of bash patch in http://ftp.gnu.org/gnu/bash/ for info
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40375366
to share in forum, this has more info and test script to check out the latest CVEs too and steps for the patching including the debian lts @ https://dmsimard.com/2014/09/25/the-bash-cve-2014-6271-shellshock-vulnerability/
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question