CVE-2014-6271 ShellShock Bash Exploit

Blog Security
1

CVE-2014-6271 “Shell Shock” Bash Exploit

Please note that the RPM’s for the FreePBX Distro have been updated and contain the released patch for this announcement. Please update bash as soon as possible.

yum update bash

This recommendation is made as a precaution. There has been no reported compromises related to this issue on FreePBX systems. This has been around a long time and was only recently exposed. Remember to follow best security practices and do not expose your server to the public network if there is no need to. Lock down exposures to specific IP addresses whenever possible. Short of cutting all the wires (including power), and possibly explosives, there is no way to ensure complete security. Please use common sense wherever possible.

4

This topic is now a banner topic. It will appear at the top of every page until it is dismissed by the user.

5

A simple yum update bash should have worked, but doesn’t. Had to download rpm, etc…

6

What is the output of…

yum list bash
7

[root@localhost ~]# yum update bash
Loaded plugins: fastestmirror, kmod
Loading mirror speeds from cached hostfile
Setting up Update Process
No Packages marked for Update

[root@localhost ~]# yum list bash
Loaded plugins: fastestmirror, kmod
Loading mirror speeds from cached hostfile
Installed Packages
bash.x86_64 4.1.2-15.el6_4 @anaconda-CentOS-201303020151.x86_64/6.4
[root@localhost ~]#

8

As the title says, how does one patch centos 6 for the shellshock vulnerability. We only seem to have freepbx patch repositories now with the later versions of freepbx.

9 
yum update bash

10

[root@localhost ~]# yum update bash
Loaded plugins: fastestmirror, kmod
Loading mirror speeds from cached hostfile
Setting up Update Process
No Packages marked for Update

Please remember this is freepbx installed on top of centos. Freepbx has removed the centos repositories.

11

Yes we know. We work for Schmooze. Both of us do. Did you miss the giant notice when you logged into the forums?

Perhaps you missed the other posts about this as well?

12

Hi, this vulnerability hit today: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

Could we get an updated rpm pushed to the FreePBX Distro repos?

I have this version on 5.211.65-17:

$ rpm -qa |grep bash
bash-4.1.2-15.el6_4.x86_64

I think we need this version: bash-4.1.2-15.el6_5.1.x86_64
http://lists.centos.org/pipermail/centos-announce/2014-September/020585.html

13

Its already been in progress and should be pushed out tonight or tomorrow.

14

Thanks tonyclewis!

This will update your system in the meantime if you’re concerned:

wget http://YOURCENTOSMIRROR/pub/centos/6.5/updates/x86_64/Packages/bash-4.1.2-15.el6_5.1.x86_64.rpm
sha256sum bash-4.1.2-15.el6_5.1.x86_64.rpm

Check that your shasum matches (http://lists.centos.org/pipermail/centos-announce/2014-September/020585.html):

eb8e41a4752e64c5c64371e5ae2ddbd5857b1e879832557a89fad195f4ab8f5b  bash-4.1.2-15.el6_5.1.x86_64.rpm

Finally, upgrade the package:

rpm -U bash-4.1.2-15.el6_5.1.x86_64.rpm
15

Do do not tell people to grab random packages. This can be very dangerous.

The updates have been pushed and synced to the repos so a yum update bash will get it for you already.

It will also be included in the next upgrade scripts

16

As always… thanks for the quick response and update!

17

My system shows vulnerable to bash bug. Any idea when a fix will be available?

18

@freak moved your post in to this topic… You should be able to yum update bash.

Everyone please note there is still some netsec discussion that suggests this may still be an issue and not resolved upstream. As with all things security related please use common sense and otherwise lock down your systems to prevent exposure so these bugs matter less.

19 
[root@freepbxdev1 ucp]# yum update bash
Loaded plugins: downloadonly, fastestmirror, kmod
Determining fastest mirrors                                                                                                                                                                                                                                                                                                                                       13/13
pbx                                                                                                                                                                     | 1.3 kB     00:00
pbx/primary                                                                                                                                                             | 486 kB     00:00
pbx                                                                                                                                                                                  1811/1811
schmooze-commercial                                                                                                                                                     | 1.3 kB     00:00
updates                                                                                                                                                                 | 1.3 kB     00:00
updates/primary                                                                                                                                                         | 429 kB     00:00
updates                                                                                                                                                                                965/965
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package bash.i686 0:4.1.2-15.el6_4 will be updated
---> Package bash.i686 0:4.1.2-15.el6_5.1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================================================================================================================
 Package                                   Arch                                      Version                                                Repository                                    Size
===============================================================================================================================================================================================
Updating:
 bash                                      i686                                      4.1.2-15.el6_5.1                                       updates                                      887 k

Transaction Summary
===============================================================================================================================================================================================
Upgrade       1 Package(s)

Total download size: 887 k
Is this ok [y/N]:
20

I have a Noob question but if I don’t ask, I don’t know. How do I do the RPM update for the Bash exploit? I see in the header there’s an update but I’m not sure where to find it. I’ve updated all my modules from the GUI but this appears to be something I’m supposed to do from the #.
FreePBX 2.11.0.38, Asterisk 1.8.18.0
Thank you.

21 
yum update bash
22

Did I do it wrong?

[root@PBX ~]# yum update bash
Loaded plugins: fastestmirror, kmod
Loading mirror speeds from cached hostfile
Setting up Update Process
No Packages marked for Update
[root@PBX ~]#