Friday, September 26, 2014

Bash vulnerability possible quick fix for Debian 6 and 7 (squeeze and wheezy) - "CVE-2014-6271" or more CVEs

A bug discovered by Stephane Chazelas

IMPORTANT - MUST READ:

  • USE AT YOUR OWN RISK, i am not responsible for any broken apps/programs etc etc. Don’t sue me, im not rich anyway.
  • We do not know the extent of the vulnerability/fixes this is from best knowledge and effort, you are advised to research of your own too and not completely rely on these below. These methods are also described in many many online articles, i put them together mainly for our customers and people using Deb6/7.
  • This article is to be done/performed by people who know how to use bash and shell codes, not for newbies
  • Please read more articles and follow online security resources for updates should there be any. If you need to reupgrade, just follow steps below again, in case there’s a better fix/newer version.
NOTES
  • Note on command line operations: the # means its a shell code to run, copy paste that in your SSH console

Intro

For immediate fix to possible vulnerable users: e.g. using vulnerable bash with bash codes that may run on publicly exposed protocols such as SSH/HTTP etc where publicly accessible shell codes are possible. 
More reading: (askubuntu has an easy article to understand)

Test and Check Version

Note # denotes copy and paste into shell, don’t copy the # itself, copy after it, everything should be a single line unless said otherwise
1) Logon to your OS using SSH
2) Run the following 
#curl https://shellshocker.net/shellshock_test.sh | bash
If you see the output showing "vulnerable" from 7 out of 7 checks, you need to fix, therefore, proceed to fix as below. 
3) To check bash version, run, you might need this info as you may be upgrading to a higher version of bash as shown in this article. this article for debian 6 will assume bash 4.1;
#dpkg -s bash | grep Ver

Fix

Fix for Squeeze (Deb6)

Following a guide from http://www.tannkost.no/2014/09/compile-bash-from-source-to-remedy-shellshock-on-debian-lenny/
1) Do this in the /usr/src dir
#cd /usr/src
#wget http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz
#tar zxvf bash-4.1.tar.gz
#cd bash-4.1
2) Fetch all patches, including latest ones that patches all related CVEs, note if you are using bash 4.2x then change accordingly, eg change to 4.1 to 4.2 and 41 to 42 so on. Since more and more patches are coming up, i am setting the possible number of patches to 25, at time of writing, there are 17 patches.
#for i in $(seq -f  %03g 0 25); do wget -nv http://ftp.gnu.org/gnu/bash/bash-4.1-patches/bash41-$i; patch -p0 < bash41-$i; done
#./configure && make
#make install
#mv /bin/bash /bin/bash.old
#ln -s /usr/local/bin/bash /bin/bash
3) Check that you're not vulnerable anymore wiith the output of the following
# it should not output vulnerable word anymore
#curl https://shellshocker.net/shellshock_test.sh | bash
4) You can and also should delete the old one that's a problem
#rm /bin/bash.old
5) Rerun Test!, you should not be vulnerable anymore.

Fix for Wheezy (Deb7)

1) Just run below for Wheezy
#apt-get update
#apt-get install --only-upgrade bash
2) Rerun Test!, you should not be vulnerable anymore. Your bash version should also be higher than that specified above in the MUST READ section.
---http://highsecurity.blogspot.com--- ---RSS http://feeds.feedburner.com/highsecurity---