Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169)

Reference



Am I affected?

OS/Software
Vulnerable?
RHEL
Vulnerable
CentOS
Vulnerable
Amazon Linux AMI
Vulnerable
Fedora
Vulnerable
Ubuntu
Vulnerable
Debian
Vulnerable
Novel/SuSE
Vulnerable
Mac OS X
Vulnerable
Juniper JunOS
(SecureVPN)
Junos OS used by SecureVPN devices is not vulnerable
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648&actp=SUBSCRIPTION
NGINX
This bug does not affect the NGINX or NGINX Plus software directly, but if you are running on an affected host system, we recommend that you upgrade the copy of bash on that system as soon as possible.
http://nginx.com/blog/nginx-cve-2014-6271-bash-advisory/
VMWare ESXi hypervisor
VMWare Vcenter Server and other VMWare products
Products that run on Linux or Mac OS (excluding Virtual Appliances) may use the bash shell that is part of the operating system.
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2090740

 



Check your OS version

$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.4 (Tikanga)

$ uname -a
Linux abc.rhs.net 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:48 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux

Check available Shells

For Linux

$ chsh -l
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
/bin/ksh

For AIX

$ chsh
 Current available shells:
                /bin/sh
                /bin/bsh
                /bin/csh
                /bin/ksh
                /bin/tsh
                /bin/ksh93
                /usr/bin/sh
                /usr/bin/bsh
                /usr/bin/csh
                /usr/bin/ksh
                /usr/bin/tsh
                /usr/bin/ksh93
                /usr/bin/rksh
                /usr/bin/rksh93
                /usr/sbin/uucp/uucico
                /usr/sbin/sliplogin
                /usr/sbin/snappd
                /opt/mastersam/bin/msh
 gzchin's current login shell:
                /usr/bin/ksh
 Change (yes) or (no)? > no
 Login shell not changed.

Check your BASH version

For Linux

$ echo $0
-bash

$ ls -l /bin/sh
lrwxrwxrwx 1 root root 4 Sep 26 15:01 /bin/sh -> bash

[root@abc installer]# rpm -qa | grep -i bash
bash-3.2-24.el5

For AIX

Default AIX does not ship with BASH out of the box, but one may have installed it afterwards. Please double confirm.
$ lslpp -L bash
  Fileset                      Level  State  Type  Description (Uninstaller)
  ----------------------------------------------------------------------------
  bash                         4.1-4    C     R    The GNU Bourne Again shell
                                                   (bash) version %{version}
                                                   (/bin/rpm)
State codes:
 A -- Applied.
 B -- Broken.
 C -- Committed.
 E -- EFIX Locked.
 O -- Obsolete.  (partially migrated to newer version)
 ? -- Inconsistent State...Run lppchk -v.

Type codes:
 F -- Installp Fileset
 P -- Product
 C -- Component
 T -- Feature
 R -- RPM Package

Diagnostic Steps


If you get the line with the “vulnerable” only, means your machine is vulnerable.
$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test

Try jump into different Shell and do the test.
$ sh
sh-3.2$ env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
vulnerable
this is a test

$ tcsh
$ env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
vulnerable
this is a test

$ csh
$ env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
vulnerable
this is a test

]$ ksh
$ env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
vulnerable
this is a test

If you only apply patch for CVE-2014-6271 fix, you will get below, and your machine is still vulnerable
$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
bash: error importing function definition for `BASH_FUNC_x()'
test

The versions with additional fixes from RHSA-2014:1306, RHSA-2014:1311 and RHSA-2014:1312 produce the following output:
$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test

The fix for CVE-2014-7169 ensures that the system is protected from the file creation issue. If you get below, your machine is vulnerable.
$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
Fri Sep 26 11:49:58 GMT 2014

What application might be affected?

Check out the this link for latest discovered list

Do I need to reboot or restart services after installing the update for CVE-2014-6271 and CVE-2014-7169?

If your system uses exported Bash functions, restarting affected services is recommended. Affected interactive users may have to re-login, and screen or tmux sessions may need to be restarted.

The Bash update provided to fix these issues changes the names of exported functions in the environment. If a function is exported by the old version of Bash, it is not recognized by newly started Bash processes after the update, and essentially becomes undefined. Restarting the services ensures that the new version of Bash exports functions under the expected name, making it visible again.

To find out which services need to be restarted (or which users have to re-login), execute the following command after updating:
$ grep -l -z '[^)]=() {' /proc/[1-9]*/environ | cut -d/ -f3

The returned PIDs belong to processes which are using the old exported function definitions in their environment. These processes must be restarted. To discover which service started a certain PID and needs restarting, on Red Hat Enterprise Linux 7, use the following command:
$ systemctl status

On Red Hat Enterprise Linux 6 and earlier, use the pstree -p or ps -axuf command and look for a particular PID.

Consideration

Please consult with application team on the impact if we upgrade / patch the shell.
Some point pointed out by Redhat website.

No comments: