Reference
Am
I affected?
|
OS/Software
|
Vulnerable?
|
|
RHEL
|
Vulnerable
|
|
CentOS
|
Vulnerable
|
|
Amazon Linux AMI
|
Vulnerable
|
|
Fedora
|
Vulnerable
|
|
Ubuntu
|
Vulnerable
|
|
Debian
|
Vulnerable
|
|
Novel/SuSE
|
Vulnerable
|
|
Mac OS X
|
Vulnerable
|
|
Juniper JunOS
(SecureVPN) |
Junos OS used by
SecureVPN devices is not vulnerable
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648&actp=SUBSCRIPTION |
|
NGINX
|
This bug does not
affect the NGINX or NGINX Plus software directly, but if you are running on an affected host system, we
recommend that you upgrade the copy of bash on that system as soon as
possible.
http://nginx.com/blog/nginx-cve-2014-6271-bash-advisory/ |
|
VMWare ESXi
hypervisor
|
ESXi is not
affected as it uses the ash shell (through busybox)
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2090740 |
|
VMWare Vcenter Server
and other VMWare products
|
Products that run
on Linux or Mac OS (excluding Virtual Appliances) may use the bash shell that
is part of the operating system.
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2090740 |
Check
your OS version
|
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release
5.4 (Tikanga)
$ uname -a
Linux abc.rhs.net 2.6.18-164.el5 #1
SMP Tue Aug 18 15:51:48 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
|
Check
available Shells
For
Linux
|
$ chsh -l
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
/bin/ksh
|
For
AIX
|
$ chsh
Current available shells:
/bin/sh
/bin/bsh
/bin/csh
/bin/ksh
/bin/tsh
/bin/ksh93
/usr/bin/sh
/usr/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/tsh
/usr/bin/ksh93
/usr/bin/rksh
/usr/bin/rksh93
/usr/sbin/uucp/uucico
/usr/sbin/sliplogin
/usr/sbin/snappd
/opt/mastersam/bin/msh
gzchin's current login
shell:
/usr/bin/ksh
Change (yes) or (no)? >
no
Login shell not changed.
|
Check
your BASH version
For
Linux
|
$ echo $0
-bash
$ ls -l /bin/sh
lrwxrwxrwx 1 root root 4 Sep 26 15:01
/bin/sh -> bash
[root@abc installer]# rpm -qa |
grep -i bash
bash-3.2-24.el5
|
For
AIX
Default AIX does not ship with BASH out of
the box, but one may have installed it afterwards. Please double confirm.
|
$ lslpp -L bash
Fileset
Level State Type
Description (Uninstaller)
----------------------------------------------------------------------------
bash 4.1-4 C
R The GNU Bourne Again shell
(bash) version %{version}
(/bin/rpm)
State codes:
A
-- Applied.
B
-- Broken.
C
-- Committed.
E
-- EFIX Locked.
O
-- Obsolete. (partially migrated to
newer version)
?
-- Inconsistent State...Run lppchk -v.
Type codes:
F
-- Installp Fileset
P
-- Product
C
-- Component
T
-- Feature
R
-- RPM Package
|
Diagnostic
Steps
If you get the line with the “vulnerable”
only, means your machine is vulnerable.
|
$ env 'x=() { :;}; echo vulnerable'
'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
vulnerable
bash: BASH_FUNC_x(): line 0: syntax
error near unexpected token `)'
bash: BASH_FUNC_x(): line 0:
`BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function
definition for `BASH_FUNC_x'
test
|
Try jump into different Shell and do the
test.
|
$ sh
sh-3.2$ env x='() { :;}; echo
vulnerable' bash -c "echo this is
a test"
vulnerable
this is a test
$ tcsh
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
$ csh
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
]$ ksh
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
|
If you only apply patch for CVE-2014-6271
fix, you will get below, and your machine is still vulnerable
|
$ env 'x=() { :;}; echo vulnerable'
'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function
definition attempt
bash: error importing function
definition for `x'
bash: error importing function
definition for `BASH_FUNC_x()'
test
|
The versions with additional fixes from
RHSA-2014:1306, RHSA-2014:1311 and RHSA-2014:1312 produce the following output:
|
$ env 'x=() { :;}; echo vulnerable'
'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function
definition attempt
bash: error importing function
definition for `BASH_FUNC_x'
test
|
The fix for CVE-2014-7169 ensures that
the system is protected from the file creation issue. If you get below, your
machine is vulnerable.
|
$ cd /tmp; rm -f /tmp/echo; env 'x=()
{ (a)=>\' bash -c "echo date"; cat /tmp/echo
bash: x: line 1: syntax error near
unexpected token `='
bash: x: line 1: `'
bash: error importing function
definition for `x'
Fri Sep 26 11:49:58 GMT 2014
|
What
application might be affected?
Check out the this link for latest
discovered list
Do I need to reboot or
restart services after installing the update for CVE-2014-6271 and
CVE-2014-7169?
If your system uses exported Bash
functions, restarting affected services is recommended. Affected interactive
users may have to re-login, and screen or tmux sessions may need to be
restarted.
The Bash update provided to fix these
issues changes the names of exported functions in the environment. If a
function is exported by the old version of Bash, it is not recognized by newly
started Bash processes after the update, and essentially becomes undefined.
Restarting the services ensures that the new version of Bash exports functions
under the expected name, making it visible again.
To find out which services need to be
restarted (or which users have to re-login), execute the following command
after updating:
|
$ grep -l -z '[^)]=() {' /proc/[1-9]*/environ
| cut -d/ -f3
|
The returned PIDs belong to processes which
are using the old exported function definitions in their environment. These
processes must be restarted. To discover which service started a certain PID
and needs restarting, on Red Hat Enterprise Linux 7, use the following command:
|
$ systemctl status
|
On Red Hat Enterprise Linux 6 and earlier,
use the pstree -p or ps -axuf command and look for a particular PID.
Consideration
Please consult with application team on the
impact if we upgrade / patch the shell.
Some point pointed out by Redhat website.
No comments:
Post a Comment