[ErickOwnZ]

Hello all,

We received this email today:

Код:

Hello,

We're emailing all our customers that use Authy for their SSH shells. We wanted to let you know that today, a critical vulnerability in bash (Bourne-Again-SHell) was disclosed by Stephane Chazelas.

This vulnerability is so critical that even if you have Two-Factor Authentication an attacker would be able to by-pass the two-factor verification and execute commands remotely on your server.
We recommend you update now.

Here's a few things to help you:

To test if you are vulnerable you can use the following command:

env t='() { :;}; echo You are vulnerable.' bash -c "true"

If it prints "You are vulnerable" you need to upgrade as soon as possible. Patches for the major Linux distributions have been already released.

If you are using a Ubuntu or Debian type the following commands to apply the security patch:

apt-get update
apt-get upgrade

If you are using RedHat, CentOS or Fedora type the following commands to apply the security patch:

yum clean all
yum update bash

If you want to know more about this vulnerability please read the following thread on the oss-sec mailing list:

http://seclists.org/oss-sec/2014/q3/650

Authy Engineering Team

Update your bash asap.

http://www.osvdb.org/show/osvdb/112004

http://www.scip.ch/en/?vuldb.67685

[renegade334]

OS X is also affected, of course, although Apple haven't released an update yet, so you'll have to manually recompile if you want to patch it.

To elaborate: this vulnerability was semi-patched, but a variant of the malicious-environment-variable-execution bug was subsequently discovered not to be covered by the original patch. This secondary vulnerability has been assigned as CVE-2014-7169. I don't believe a patch has yet been released. Stay on top of your package upgrades for the next few days.

The following demonstrates the secondary vulnerability:

Код:

$ ls -l echo
ls: cannot access echo: No such file or directory

$ bash -c 'echo date -R'
date -R

$ env -i X='() { (a)=>\' bash -c 'echo date -R'
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'

$ ls -l echo
-rw-rw-r-- 1 renegade renegade 32 Sep 25 12:29 echo

$ cat echo
Thu, 25 Sep 2014 12:29:43 +0100

Instead of running the command 'echo date -R', bash executes the command 'date -R' and stores the output in the file 'echo'.

In any case, you're only vulnerable if you have a scenario where someone can set environment variables in the same environment that bash is running in - that includes CGI bash scripts and physical terminal access. However, a properly secured SSH environment isn't inherently vulnerable, unless a malicious user is able to get to login and get to the stage where they have access to a shell environment.


Edit: This topic should be renamed - the vulnerability is not in Red Hat Enterprise Linux, nor does it solely affect RHEL users.

[ErickOwnZ]

Quote:

Originally Posted by renegade334 OS X is also affected, of course, although Apple haven't released an update yet, so you'll have to manually recompile if you want to patch it. To elaborate: this vulnerability was semi-patched, but a variant of the malicious-environment-variable-execution bug was subsequently discovered not to be covered by the original patch. This secondary vulnerability has been assigned as CVE-2014-7169. I don't believe a patch has yet been released. Stay on top of your package upgrades for the next few days. The following demonstrates the secondary vulnerability: Код: $ ls -l echo ls: cannot access echo: No such file or directory $ bash -c 'echo date -R' date -R $ env -i X='() { (a)=>\' bash -c 'echo date -R' bash: X: line 1: syntax error near unexpected token `=' bash: X: line 1: `' bash: error importing function definition for `X' $ ls -l echo -rw-rw-r-- 1 renegade renegade 32 Sep 25 12:29 echo $ cat echo Thu, 25 Sep 2014 12:29:43 +0100 Instead of running the command 'echo date -R', bash executes the command 'date -R' and stores the output in the file 'echo'. In any case, you're only vulnerable if you have a scenario where someone can set environment variables in the same environment that bash is running in - that includes CGI bash scripts and physical terminal access. However, a properly secured SSH environment isn't inherently vulnerable, unless a malicious user is able to get to login and get to the stage where they have access to a shell environment. Edit: This topic should be renamed - the vulnerability is not in Red Hat Enterprise Linux, nor does it solely affect RHEL users.

Yes, of course. I tried rename the topic, but, without success..

[Mellnik]

.cgi people will suffer.

[renegade334]

I've put together a test script for these vulnerabilities, if anyone needs to check.

http://www.renegade334.me.uk/node/10

[Matt]

Quote:

Originally Posted by renegade334 OS X is also affected, of course, although Apple haven't released an update yet, so you'll have to manually recompile if you want to patch it.

Apple has released an update, not popping up in the Software Updates, but it's on their site: http://support.apple.com/kb/DL1769