Welcome to Centmin Mod Community
Register Now

Security Bash Code Injection Vulnerability CVE-2014-6271 (update bash)

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Sep 25, 2014.

  1. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Very important update for all for Bash Code Injection Vulnerability CVE-2014-6271. More info at Red Hat Customer Portal and Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) - Red Hat Customer Portal.

    Update 3: September 29th, 2014: We're not out of the woods completely, more vulnerabilities in bash ! :eek: New ones for CVE-2014-6277 (RedHat/CentOS not vulnerable) and CVE-2014-6278 (not yet patched for Redhat/CentOS) - (info at Further flaws render Shellshock patch ineffective - Security - News - iTnews.com.au and at lcamtuf's blog: Bash bug: apply Florian's patch now (CVE-2014-6277 and CVE-2014-6278)

    Update 2: Bash shellshock FAQ by Redhat explaining CVE-2014-6271, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187

    Update: if you're using Linode Xen VPS and still can't see the bash update for the CVE-2014-7169, read how to change the baseurl from Linode's here.

    CentOS 6
    Code:
    yum list updates -q
    Updated Packages
    bash.x86_64                                                               4.1.2-15.el6_5.1                                                                updates
    CentOS 7
    Code:
     yum list updates -q
    Updated Packages
    bash.x86_64                      4.2.45-5.el7_0.2                        updates
    2nd bash update is available for CVE-2014-7169

    CentOS 6
    Code:
    yum list bash -q
    Installed Packages
    bash.x86_64             4.1.2-15.el6_5.1             @updates
    Available Packages
    bash.x86_64             4.1.2-15.el6_5.2             updates
    CentOS 7
    Code:
     yum list bash -q
    Installed Packages
    bash.x86_64            4.2.45-5.el7                 @anaconda
    Available Packages
    bash.x86_64            4.2.45-5.el7_0.4             updates 
    CentOS 6
    Code:
    rpm -qa --changelog bash | head -n10
    * Thu Sep 25 2014 Ondrej Oprala <ooprala@redhat.com> - 4.1.2-15.2
    - CVE-2014-7169
      Resolves: #1146322
    
    * Mon Sep 15 2014 Ondrej Oprala <ooprala@redhat.com - 4.1.2-15.1
    - Check for fishy environment
      Resolves: #1141645
    CentOS 7
    Code:
    rpm -qa --changelog bash | head -n10
    * Thu Sep 25 2014 Ondrej Oprala <ooprala@redhat.com> - 4.2.45-5.4
    - CVE-2014-7169
      Resolves: #1146324
    
    * Thu Sep 25 2014 Ondrej Oprala <ooprala@redhat.com> - 4.2.45-5.3
    - amend patch to match upstream's
      Related: #1146324
    
    * Mon Sep 15 2014 Ondrej Oprala <ooprala@redhat.com - 4.2.45-5.2
    - Fix-up the patch
    For those using Oracle Linux 6.5
    Code:
    yum list bash -q
    Installed Packages
    bash.x86_64                                           4.1.2-15.el6_5.1.0.1                                            @ol6_latest
    Code:
    rpm -qa --changelog bash | head -n10
    * Thu Sep 25 2014 John Haxby <john.haxby@oracle.com> - 4.1.2-15.1.0.1
    - Preliminary fix for CVE-2014-7169
    
    * Mon Sep 15 2014 Ondrej Oprala <ooprala@redhat.com - 4.1.2-15.1
    - Check for fishy environment [CVE-2014-6271]
      Resolves: #1141645

    Update bash for CentO, Redhat & Oracle Linux


    1. In order to update to the most recent version of the Bash package run the following command:
      Code:
      yum clean all; yum update bash
    2. Perform a system reboot [might not need a reboot] OR
    3. if system cannot be reboot, run command
      Code:
      /sbin/ldconfig
    Just updated 25+ servers :D

    Bash YUM Updates



    Looks like there maybe bash updates coming depending on the YUM mirror you use

    actual announcements for 2nd bash update

    Code:
    Latest version for CentOS 5 bash-3.2-33.el5_10.4
    Latest version for CentOS 6 bash-4.1.2-15.el6_5.2
    Latest version for CentOS 7 bash-4.2.45-5.el7_0.4

    Shellshock Malware



    For the original bash vulnerability CVE-2014-6271 (shellshock), some folks might have been compromised or infected with shellshock malware. So it's a good idea to have a malware scanner. Centmin Mod has an addon for Linux Malware Detect (maldet) + ClamAV scanner (instructions for both manual install and included maldet.sh auto installer for Centmin Mod LEMP web stack users). Unfortunately, not sure if latest maldet definitions detect for shellshock malware right now, but it's better than not having a malware / virus scanner in place. However, maldet has several sources of malware data to generate it's LMD signatures :)


    Code:
    AVG    Linux/BackDoor_c.BV    20140926
    Ad-Aware    Linux.Backdoor.F    20140926
    AhnLab-V3    Linux/CVE-2014-6271    20140926
    Avast    Other:Malware-gen [Trj]    20140926
    Avira    LINUX/Flooder.538444    20140926
    BitDefender    Linux.Backdoor.F    20140926
    ClamAV    Linux.Flooder.Agent    20140926
    Cyren    Unix/Flooder.AN    20140926
    DrWeb    Linux.BackDoor.Shellshock.1    20140926
    ESET-NOD32    Linux/DDoS.M    20140926
    Emsisoft    Linux.Backdoor.F (B)    20140926
    F-Prot    Unix/Flooder.AN    20140926
    F-Secure    Backdoor:Linux/ShellShock.A    20140926
    Fortinet    ELF/Gafgyt.A!tr    20140926
    GData    Linux.Backdoor.F    20140926
    Ikarus    Backdoor.Linux.ShellShock    20140926
    K7AntiVirus    Trojan ( 0001140e1 )    20140926
    K7GW    Trojan ( 0001140e1 )    20140926
    Kaspersky    Backdoor.Linux.Gafgyt.a    20140926
    McAfee    Linux/Dingle    20140926
    MicroWorld-eScan    Linux.Backdoor.F    20140926
    Norman    CVE_2014_6271.A    20140926
    Qihoo-360    Trojan.Generic    20140926
    Sophos    Troj/20146271-A    20140926
    Symantec    Backdoor.Trojan    20140926
    Tencent    Linux.Backdoor.Gafgyt.Suxo    20140926
    TrendMicro    ELF_BASHLITE.A    20140926
    TrendMicro-HouseCall    ELF_BASHLITE.A    20140926
    ViRobot    Backdoor.Linux.S.BashEK.538444    20140926
    nProtect    Linux.Backdoor.F    20140926
     
    Last edited: Sep 30, 2014
  2. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    10:22 PM
    Mainline
    10.2
    I just run this after update :)
     
  3. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yup :)
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Looks like another vulnerability in bash has been found Bash bug - in access.redhat.com | CVE-2014-7169

     
    Last edited: Sep 26, 2014
  5. Josephm

    Josephm Active Member

    132
    44
    28
    Aug 26, 2014
    Ratings:
    +48
    Local Time:
    9:22 PM
    1.9.5
    10.0.21
  6. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    i believe that is for the first CVE-2014-6271 ?

    for CVE-2014-6271 from Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) - Red Hat Customer Portal
    But this is incomplete as there's another vulnerability as outlined further in https://access.redhat.com/articles/1200223
     
    Last edited: Sep 25, 2014
  7. Afterward

    Afterward Member

    94
    29
    18
    Jul 20, 2014
    Ratings:
    +29
    Local Time:
    3:22 PM
    1.7.5
    5.5
    Updated mine as well, thanks for informations.
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  9. Afterward

    Afterward Member

    94
    29
    18
    Jul 20, 2014
    Ratings:
    +29
    Local Time:
    3:22 PM
    1.7.5
    5.5
    Yes i noticed but they said its at least less dangerous than the previous one right?
     
  10. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    wait and see I guess... :nailbiting::)
     
  11. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    As most folks need sleep, the update packages might come at anytime, so you can setup and install yum-cron so you get nightly yum updates along with email notifications.

    Code:
    yum -y install yum-cron
    chkconfig yum-cron on
    edit /etc/sysconfig/yum-cron to set MAILTO= email address for email notifications. If you use pushover.net for notifications to your mobile or tablet device, you can set
    Code:
    MAILTO=yourUSERkey@api.pushover.net
    then start the yum-cron service
    Code:
    service yum-cron start
     
  12. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Looks like I am starting to get notifications from some web hosting and cloud providers about the bash vulnerability and the reminder for the need to update bash.

    From Rightscale.com
    From GoGrid.com
    From Sucuri
    From WHM/Cpanel cPanel Security Team: Bash CVE-2014-6217 and CVE-2014-7169 - cPanel Forums
    from Amazon AWS ALAS-2014-418
    from Amazon forum discussion https://forums.aws.amazon.com/thread.jspa?messageID=572002
     
    Last edited: Sep 26, 2014
  13. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    So we know Amazon EC2 AMI images are auto updated at initial launch time for latest updates. But wonder about other cloud or VPS providers who provide OS image templates for Debian, Ubuntu, CentOS etc ? I know Vultr auto runs yum update on initialising their Vultr VPS instances as they actually run the OS's install routine to provision their OS (at least for CentOS) as opposed to some providers of OpenVZ, Xen and KVM which provide premade OS templates which may contain outdated bash versions ? Linode ? DigitaOean ? Rackspace ?

    So might be good idea for Centmin Mod installs to endure a longer install time, by making sure yum update is run first ? Update: already added to .07 stable and .08 beta :)

    Looks like Vultr has unattended security updates for Debian and Ubuntu Vultr VPSes a new worm? - VULTR
     
    Last edited: Sep 26, 2014
  14. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Looks like there maybe bash updates coming depending on the YUM mirror you use

    actual announcements for 2nd bash update

    Code:
    Latest version for CentOS 5 bash-3.2-33.el5_10.4
    Latest version for CentOS 6 bash-4.1.2-15.el6_5.2
    Latest version for CentOS 7 bash-4.2.45-5.el7_0.4
    edit: yup 2nd bash update is available

    CentOS 6
    Code:
    yum list bash -q
    Installed Packages
    bash.x86_64             4.1.2-15.el6_5.1             @updates
    Available Packages
    bash.x86_64             4.1.2-15.el6_5.2             updates
    CentOS 7
    Code:
     yum list bash -q
    Installed Packages
    bash.x86_64            4.2.45-5.el7                 @anaconda
    Available Packages
    bash.x86_64            4.2.45-5.el7_0.4             updates 

    Update bash for CentOS/Redhat


    1. In order to update to the most recent version of the Bash package run the following command:
      Code:
      yum clean all; yum update bash
    2. Perform a system reboot [might not need a reboot] OR
    3. if system cannot be reboot, run command
      Code:
      /sbin/ldconfig
     
    Last edited: Sep 26, 2014
  15. Afterward

    Afterward Member

    94
    29
    18
    Jul 20, 2014
    Ratings:
    +29
    Local Time:
    3:22 PM
    1.7.5
    5.5
    Fix of the second vulnurability? or the shellshock?
     
  16. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    fix for 2nd vulnerability, shellshock is the 1st fixed update

    CentOS 6
    Code:
    rpm -qa --changelog bash | head -n10
    * Thu Sep 25 2014 Ondrej Oprala <ooprala@redhat.com> - 4.1.2-15.2
    - CVE-2014-7169
      Resolves: #1146322
    
    * Mon Sep 15 2014 Ondrej Oprala <ooprala@redhat.com - 4.1.2-15.1
    - Check for fishy environment
      Resolves: #1141645
    CentOS 7
    Code:
    rpm -qa --changelog bash | head -n10
    * Thu Sep 25 2014 Ondrej Oprala <ooprala@redhat.com> - 4.2.45-5.4
    - CVE-2014-7169
      Resolves: #1146324
    
    * Thu Sep 25 2014 Ondrej Oprala <ooprala@redhat.com> - 4.2.45-5.3
    - amend patch to match upstream's
      Related: #1146324
    
    * Mon Sep 15 2014 Ondrej Oprala <ooprala@redhat.com - 4.2.45-5.2
    - Fix-up the patch
     
  17. Afterward

    Afterward Member

    94
    29
    18
    Jul 20, 2014
    Ratings:
    +29
    Local Time:
    3:22 PM
    1.7.5
    5.5
    Well yum update show nothing to me ftm
    Code:
    No Packages marked for Update
     
  18. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yeah not all mirrors are populated with update yet, need to wait and check again. Out of 25+ of my servers like 6 don't have the update yet

    make sure you do a yum clean all before too
    Code:
    yum clean all; yum update bash
     
    Last edited: Sep 26, 2014
  19. Afterward

    Afterward Member

    94
    29
    18
    Jul 20, 2014
    Ratings:
    +29
    Local Time:
    3:22 PM
    1.7.5
    5.5
    Yeah nothing yet here too.