CVE-2014-6271 ShellShock Bash Exploit


#23

Did I miss it? No I see it there. I’m simply trying to tell you that ‘yum update bash’ doesn’t work, it doesn’t see anything available.


#24

Same here:
[[email protected] ~]# yum update bash
Loaded plugins: fastestmirror, kmod
Loading mirror speeds from cached hostfile
Setting up Update Process
No Packages marked for Update
[[email protected] ~]#


#25

Ok, thank. I think what you guys are saying is that as of 8pm Eastern time on 9/25 the update is not in the repository yet.


#26

Hi guys, it would appear this fix is not quite working properly. I also cannot download the update.

[[email protected] ~]$ yum list bash
Loaded plugins: fastestmirror, kmod
Determining fastest mirrors
base                                                                                                               6403/6403
extras                                                                                                                 13/13
schmooze-commercial                                                                                                  129/129
updates                                                                                                            1503/1503
Installed Packages
bash.x86_64                                              4.1.2-15.el6_4                                              @updates

[[email protected] ~]$ sudo yum update bash
Loaded plugins: fastestmirror, kmod
Loading mirror speeds from cached hostfile
Setting up Update Process
No Packages marked for Update

[[email protected] ~]$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
vulnerable
hello

[[email protected] ~]$ cat /etc/schmooze/pbx-version
4.211.64-7

Thanks in advance.


#27

You don’t have the right version of bash yet, it hasn’t been released to the repository yet.


#28

Yep, just trying to provide some backup that it doesn’t appear to be working. Looking forward to seeing it there.

Unfortunately, I’ve three other distros in the same boat. Fun times.


#29

jfinstrom is talking about the distro which is not the same as freepbx installed on top of linux.

We are waiting for them to release the patches to the yum repository for centos. When you install freepbx on top of centos, it alters centos and tells it to look elsewhere (freepbx) for centos updates.


#30

Sorry, I didn’t mention that I am actually running the distro. I’m by no means an expert here, so I’ve no idea if it reflects a larger issue, or merely my lack of patience and I just need to wait until the update has ‘filtered down the chain’, as it were…


#31

From what I gather from this thread, the update may not be available until tomorrow 9/26.


#32

Thanks. Look forward to seeing it when it is.


#33

I updated one of my machines tonight, but when I tried to yum update bash an older FreePBX Distro (1.813.210.58-1), I was told that there is no update available…

Any suggestions?


(Andrew Nagy) #34

There’s a lot of miscommunication and misunderstanding here.

First off, yes, I am talking about the “Schmooze” Distro. Also, of note. Both @jfinstrom and I work for Schmooze. Originally many of you blindly posted multiple topics on/about this without taking the time to look at our banner and follow through to this thread. As of now I have merged all of your posts here for consolidation and locked the other threads (so don’t be offended if you find your thread locked)

At 3pm PST I checked both a 5.211.x distro and a 6.12.x distro. Both have the updated version of bash in the repo.

[[email protected] ~]# cat /etc/schmooze/pbx-version
5.211.65-17
[[email protected] ~]# yum list bash
Installed Packages
bash.i686                                4.1.2-15.el6_4                                   @updates
Available Packages
bash.i686                                4.1.2-15.el6_5.1                                 updates

I just checked again and both have this version. If you are on anything less than 5.211.x I recommend you take the following steps to upgrade your distro.

http://wiki.freepbx.org/display/FD/Updating+FreePBX+Official+Distro

For the 1.8 track (which is not able to go any higher than 1.8) I am not sure at this time.


(Ralph D) #35

Did update of the yum update bash . just saw the last line not sure what tha means “Total download size: 887 k
Is this ok [y/N]: Exiting on user Command” not sure if update is ok now ?
thanks


(Andrew Nagy) #36

No you skipped the update through a command of your own.

yum update bash

(Ralph D) #37

OK just run again so the miss approval mistake now complete.Just to confirm is the update for every version including 12 beta ? Thanks


(Ralph D) #38

Just tried other and received this reply ?
yum update bash
Loaded plugins: fastestmirror, kmod
Loading mirror speeds from cached hostfile
Setting up Update Process
No Packages marked for Update


(TheJames) #39

Remember folks this is precautionary . I have been scanning an un-updated system and have yet to find a successful attack vector through the web ui. The POC attack vectors are SSH post author, apache CGI, DHCP. Apache CGI is the one we would be most concerned about as the other 2 shouldn’t generally be a high risk unless you have people on your network you Dont trust and/or someone has your ssh credentials. I am scanning a 2.11 system on the FreePBX distro. If you are running something like Elastix with an old FreePBX (2.8,2.9) o would be more concerned as those had some CGI stuff.


(Seb50) #40

Hello all,

OK running SHMZ release 6.5 final distro.
We got the Bash patch yesterday which upgraded us to 4.1.2-15.el6_5.1 (thanks)

My understanding is that the patch for CVE-2014-6271 didn’t fix everything so another patch has been released - bash version should be 4.1.2-15.el6_5.2 (ie fixes CVE-2014-7169).

Is 4.1.2-15.el6_5.2 being rolled out to the distro as per the previous patch?

Tested bash manually as per (argh can’t post links) and still vulnerable.

Our freepbx servers are behind firewalls etc but our internal security scans will no doubt flag up the vulnerability!

Many thanks, Seb


#41

I believe seb50 is correct. There is a second BASH update that was released last night: 4.1.2-15.el6_5.2

From securityblog.redhat.com:

Update 2014-09-26 02:20 UTC

Red Hat has released patched versions of Bash that fix CVE-2014-7169. Information regarding these updates can be found in the errata. All customers are strongly encouraged to apply the update as this flaw is being actively attacked in the wild.
Fedora has also released a patched version of Bash that fixes CVE-2014-7169. Additional information can be found on Fedora Magazine.
Update 2014-09-25 16:00 UTC

Red Hat is aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169.


(Jerry Warner) #42

I’m in the 1.818.210.58-1 crowd from the looks of it. So I’m assuming I do nothing for now.

Sorry about posting a new thread back there but I DID search for the bash problem first but not for “CVE-2012-6271”. I may be a Noob, but I DID try before posting a new topic.

Unfortunately it looks like the yum update bash doesn’t work because of my Distro version, which has an unknown solution. I’ll follow the thread for a future fix.

Thank you for the work everyone does here. The forum is great and the efforts are really appreciated.