CVE-2014-6271 ShellShock Bash Exploit


#43

Ok, just went to Admin --> System Admin and it reports this-

PBX Firmware:4.211.64-7
PBX Service Pack:1.0.0.0

Are you saying this is outdated even though I keep up with the module updates??


(Andrew Nagy) #44

You need to run the update scripts.


(TheJames) #45

Keep in mind FreePBX itself can only manage its own modules. This issue IS NOT A FREEPBX MODULE ISSUE it is an OS level issue. You should keep both your OS and FREEPBX up to date.

For anyone rolling their own system or using a OS/Distro from a different vendor should also keep up to date through the methods those OS/Distro’s provide. For example if you are on PIAF you would follow @wardmundy’s post in his forums which advise how to update PIAF systems.


#46

Ok, this may summarize it for everyone else who may still be confused.

I didn’t realize my freepbx was out of date even though all the modules are current. I was on version 4.211.64. There is a link above to the scripts. I ran the script inside centos and it upgraded freepbx to version 5.211.

After after upgrading to 5.211, I notice that as a result the BASH shell was also upgraded.

Jfinstrom says “Keep in mind FreePBX itself can only manage its own modules. This issue IS NOT A FREEPBX MODULE ISSUE it is an OS level issue. You should keep both your OS and FREEPBX up to date.”

But here is the thing you need to realize. Once freepbx is installed on top of a linux OS like centos, it strips out the normal centos repositories and replaces it with freepbx repositories. This is where the confusion is because apparently freepbx is no longer maintaining those repositories as everytime I would run ‘yum update’ it found nothing.

So, long story short, you have to be on the current production version of 5.2 or the beta version of 6 to receive yum updates. updates for freepbx distro 4.2 are apparently not maintained.

If anyone is unclear on how to check their version of freepbx, go to Admin --> System Admin

Tom


#47

Ah! Mine was also a 4.211. Upgrading as i write. Thanks a bunch.


#48

I believe a correction is needed here, Installing FreepBPX on any supported OS or even updating it within FreePBX itself does NOT strip anything from your OS, running the update-scripts is what does that. Please understand the difference between FreePBX and the FreePBX distribution.


(TheJames) #49

Even if using the schmooze repositories which had the patches within hours of their release and before the exploit was slathered over every dooms day blog you still have to keep your OS up to date.


#50

Is there a second bash fix that needs to be migrated to the distro repos as well?

http://lists.centos.org/pipermail/centos-announce/2014-September/020593.html

I did yum update bash and it pulled down

bash-4.1.2-15.el6_5.1.x86_64

Looks like there may be a 5.2 available now?


#51

hmm interesting. When I run ‘yum repolist’ now on my freepbx, I see the centos repos are back. In version 4.2 I did not have this, only repos pertaining to freepbx.


#52

Turns out my problem was that I was also on 4.211. Having now upgraded (it took a while!) this is my last remaining question (RE ver 5.2)

Thanks for the help, all;
edooze


#53

Yes, there is a 5.2 as well.
[[email protected] ~]# cat /etc/schmooze/pbx-version
6.12.65-16
[[email protected] ~]# rpm -qa |grep bash
bash-4.1.2-15.el6_5.2.i686


(Tony Lewis - https://bit.ly/2SbDAyc) #54

All FreePBX Distros based on CentOS 6.X or SHMZOS 6.X have had bash RPMs updated in our repos as of 2 days ago.


#55

This is kind annoying for me but I’m not the right person to clarify and explain to the paranoid-elastix-lover guy so if anyone want to lose some minutes of your lives trying to explain the exploit go here: http://forum.elastix.org/viewtopic.php?f=116&t=129503


(TheJames) #56

@navaismo I recommend flagging it rather than feeding the trolls. I have flagged the post because frankly it makes no sense and serves no legitimate or constructive purpose.

This is probably more than is deserved but let me address the concerns posed in that little bit of trolling:

I do work for schmooze and as a product of that I am also affiliated with them.

We released an update hours after the update was made public and hours before the exploit got spread around social media. All Bash updates are currently present in our repo and have been since day ZERO

  • We don’t have a problem using our own repos
  • I didn’t mention Elastix at all because that post wasn’t made on the Elastix forums. You will note this topic was already covered in the Elastix forums. I would assume as an Elastix user you would follow the direction provided here.
  • I did mention @wardmundy and PIAF because ward had posted here and I was aware of his post at the time of the mention.

The bash issue is an OS level issue not a FreePBX issue. It only really matters what OS you are using as far as the actual bug. At this time it has not been shown as exploitable through FreePBX or any official module.

I am not sure where I have posted F U or D, quite the opposite. I do not see this to be an apocalyptic bug by any means as it relates to FreePBX. Like most things this has been over sensationalized by the media and people should generally ignore them.

Correction
I aparently did mention Elastix. From my understanding in their stable release they are using FreePBX 2.9. Back in 2.9 we had some CGI stuff. CGI was one of the mentioned attack vectors in the CVE. This CGI stuff was removed in newer versions of FreePBX. This still has nothing to do with Elastix, nor does it require trolling. If you are unclear about anything I post please feel free to reply here or PM me.


(James B. Byrne) #57

Shellshock bash exploit was supposed to be fix via a yum update. This does not happen for me.

# bash --version
GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

# yum clean all
Loaded plugins: downloadonly, fastestmirror, kmod, priorities
Cleaning repos: Webmin base extras pbx schmooze-commercial updates
Cleaning up Everything
Cleaning up list of fastest mirrors

# yum update
Loaded plugins: downloadonly, fastestmirror, kmod, priorities
Determining fastest mirrors
 * Webmin: download.webmin.com
Webmin                                                   |  951 B     00:00     
Webmin/primary                                           |  23 kB     00:00     
Webmin                                                                  188/188
base                                                     | 2.0 kB     00:00     
base/primary                                             | 2.5 MB     00:01     
base                                                                  6403/6403
extras                                                   | 1.3 kB     00:00     
extras/primary                                           | 6.3 kB     00:00     
extras                                                                    13/13
pbx                                                      | 1.3 kB     00:00     
pbx/primary                                              | 427 kB     00:00     
schmooze-commercial                                      | 1.3 kB     00:00     
schmooze-commercial/primary                              |  19 kB     00:00     
schmooze-commercial                                                     129/129
updates                                                  | 1.3 kB     00:00     
updates/primary                                          | 2.3 MB     00:01     
updates                                                               1503/1503
Setting up Update Process
No Packages marked for Update

# yum reinstall bash
Loaded plugins: downloadonly, fastestmirror, kmod, priorities
Setting up Reinstall Process
Loading mirror speeds from cached hostfile
 * Webmin: download.webmin.com
Resolving Dependencies
--> Running transaction check
---> Package bash.x86_64 0:4.1.2-15.el6_4 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package       Arch            Version                   Repository        Size
================================================================================
Reinstalling:
 bash          x86_64          4.1.2-15.el6_4            updates          904 k

Transaction Summary
================================================================================
Reinstall     1 Package(s)

Total download size: 904 k
Installed size: 3.0 M
Is this ok [y/N]: y
Downloading Packages:
bash-4.1.2-15.el6_4.x86_64.rpm                           | 904 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : bash-4.1.2-15.el6_4.x86_64                                   1/1 
  Verifying  : bash-4.1.2-15.el6_4.x86_64                                   1/1 

Installed:
  bash.x86_64 0:4.1.2-15.el6_4                                                  

Complete!

# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

I need this fixed. Where do I get the updated rpm for a local install?


(Andrew Nagy) #58

What version of the Distro are you running?

cat /etc/schmooze/pbx-version

(TheJames) #59

This topic is not a banner topic anymore. It will no longer appear at the top of every page.


(CA Dept) #60

Hello,
Before I upgrade CentOS with the patch (yum update bash) I am simply double checking if this affects the Phone Server (Asterisk) in anyway or is it really simple as updating Bash with a “yum update bash” and rebooting?

Here is the version of the components I am using:
CentOS 5.2 (Final)
Asterisk 1.4.21.2
PBX in a Flash 1.2.9

Thanks,

Jason


(Andrew Nagy) #61

Rebooting would affect the phone server. Updating bash will not.


#62

I doubt the “new bash” will be used though until the server is rebooted.