Shellshock bug

Hi Guys,

I have a couple of Linux Debian 6.0.2 and I'm trying to update bash.  When I run:

====
apt-get install --only-upgrade bash
====

It comes back saying:

=====
Reading package lists... Done
Building dependency tree
Reading state information... Done
bash is already the newest version.
=====

However when I execute the command to test this Shellshock bug:

=====
env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
=====

It still comes back with:

=====
vulnerable
this is a test
=====

My question is:

1. Is there a patch for bash for Debian 6 at the moment?
2. If not, are there any other precautions I can take to mitigate such an attack?

I've already change the SSH port from the default 22 and have only allowed accesss
to certain IP address.

Please don't tell me I need to upgrade from Debian 6 to 7 for this to work unless this is the only fix.

Many Thanks
markbenhamAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
btanConnect With a Mentor Exec ConsultantCommented:
to share in forum, this has more info and test script to check out the latest CVEs too and steps for the patching including the debian lts @ https://dmsimard.com/2014/09/25/the-bash-cve-2014-6271-shellshock-vulnerability/
0
 
markbenhamAuthor Commented:
Hi Guys,

I may have sorted this problem out on Debian 6 (squeeze).
Here is what I did:

Add these 2 lines into /etc/apt/sources.list

deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

Next I ran:

apt-get update

Follwed by:

apt-get install --only-upgrade bash

Once completed, I executed the command to test the Shellshock bug:

=====
env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
=====

And this this time it came back with:

=====
this is a test
=====

I'm assuming that because it had NOT returned:

=====
vulnerable
this is a test
=====

and Just:

====
this is a test
====

Then this is fine...?

Many thanks.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
That looks good, but keep an eye out.  Apparently the initial patch logic is 'incomplete': Internet Storm Center diary update on ShellShock  The article includes a second test... which reports failure, but still writes a file.
0
 
btanConnect With a Mentor Exec ConsultantCommented:
best to verify as there are couple of exploit revolving ShellShock
Exploit 1 (CVE-2014-6271) - this is test you run as shared (early patch was incomplete)
e.g. env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you see "vulnerable" you need to update bash. Otherwise, you should be good to go.

Exploit 2 (CVE-2014-7169) - here is another
e.g. env X='() { (a)=>\' bash -c "echo date"; cat echo ; rm -f echo
If the above command outputs the current date (it may also show errors), you are still vulnerable.

there is another exploit (e.g. env -i X=' () { }; echo hello' bash -c 'date') mention in https://shellshocker.net/#fix
This third seems to be still active w/o patch.
There is bash patch history stated in a/m link

in case this come handy
http://cloudgames.com/blog/fix-bash-exploit-old-new-releases-ubuntu-apt-get/
How to fix shellshock on old and new Debian versions

For Debian the solution is identical, but you’ll have to update your sources to codename wheezy, which is the latest Debian release code name, instead of trusty. So your search and replace line would become something like this:

sudo sed -i 's/YOUR_OS_CODENAME_HERE/wheezy/g' /etc/apt/sources.list
0
 
btanExec ConsultantCommented:
there has been more related CVE to the Shellshock so check out the latest patch again
- you can check out latest patch based on CVE in https://security-tracker.debian.org/tracker
e.g. https://security-tracker.debian.org/tracker/CVE-2014-7169
- check out the CVE under wiki too http://en.wikipedia.org/wiki/Shellshock_(software_bug)
and the archive of bash patch in http://ftp.gnu.org/gnu/bash/ for info
0
All Courses

From novice to tech pro — start learning today.