Shellshock bug

Hi Guys,

I have a couple of Linux Debian 6.0.2 and I'm trying to update bash.  When I run:

====
apt-get install --only-upgrade bash
====

It comes back saying:

=====
Reading package lists... Done
Building dependency tree
Reading state information... Done
bash is already the newest version.
=====

However when I execute the command to test this Shellshock bug:

=====
env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
=====

It still comes back with:

=====
vulnerable
this is a test
=====

My question is:

1. Is there a patch for bash for Debian 6 at the moment?
2. If not, are there any other precautions I can take to mitigate such an attack?

I've already change the SSH port from the default 22 and have only allowed accesss
to certain IP address.

Please don't tell me I need to upgrade from Debian 6 to 7 for this to work unless this is the only fix.

Many Thanks
markbenhamAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

markbenhamAuthor Commented:
Hi Guys,

I may have sorted this problem out on Debian 6 (squeeze).
Here is what I did:

Add these 2 lines into /etc/apt/sources.list

deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

Next I ran:

apt-get update

Follwed by:

apt-get install --only-upgrade bash

Once completed, I executed the command to test the Shellshock bug:

=====
env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
=====

And this this time it came back with:

=====
this is a test
=====

I'm assuming that because it had NOT returned:

=====
vulnerable
this is a test
=====

and Just:

====
this is a test
====

Then this is fine...?

Many thanks.
0
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
That looks good, but keep an eye out.  Apparently the initial patch logic is 'incomplete': Internet Storm Center diary update on ShellShock  The article includes a second test... which reports failure, but still writes a file.
0
btanExec ConsultantCommented:
best to verify as there are couple of exploit revolving ShellShock
Exploit 1 (CVE-2014-6271) - this is test you run as shared (early patch was incomplete)
e.g. env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you see "vulnerable" you need to update bash. Otherwise, you should be good to go.

Exploit 2 (CVE-2014-7169) - here is another
e.g. env X='() { (a)=>\' bash -c "echo date"; cat echo ; rm -f echo
If the above command outputs the current date (it may also show errors), you are still vulnerable.

there is another exploit (e.g. env -i X=' () { }; echo hello' bash -c 'date') mention in https://shellshocker.net/#fix
This third seems to be still active w/o patch.
There is bash patch history stated in a/m link

in case this come handy
http://cloudgames.com/blog/fix-bash-exploit-old-new-releases-ubuntu-apt-get/
How to fix shellshock on old and new Debian versions

For Debian the solution is identical, but you’ll have to update your sources to codename wheezy, which is the latest Debian release code name, instead of trusty. So your search and replace line would become something like this:

sudo sed -i 's/YOUR_OS_CODENAME_HERE/wheezy/g' /etc/apt/sources.list
0
btanExec ConsultantCommented:
there has been more related CVE to the Shellshock so check out the latest patch again
- you can check out latest patch based on CVE in https://security-tracker.debian.org/tracker
e.g. https://security-tracker.debian.org/tracker/CVE-2014-7169
- check out the CVE under wiki too http://en.wikipedia.org/wiki/Shellshock_(software_bug)
and the archive of bash patch in http://ftp.gnu.org/gnu/bash/ for info
0
btanExec ConsultantCommented:
to share in forum, this has more info and test script to check out the latest CVEs too and steps for the patching including the debian lts @ https://dmsimard.com/2014/09/25/the-bash-cve-2014-6271-shellshock-vulnerability/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.