https://wiki.egi.eu/w/index.php?title=EGI_CSIRT:Alerts/Shellshock-2014-09-29&feed=atom&action=historyEGI CSIRT:Alerts/Shellshock-2014-09-29 - Revision history2024-03-29T08:13:22ZRevision history for this page on the wikiMediaWiki 1.37.1https://wiki.egi.eu/w/index.php?title=EGI_CSIRT:Alerts/Shellshock-2014-09-29&diff=108290&oldid=previmported>Lnixon: Created page with "<pre> ** WHITE information - unlimited distribution ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** Title: ..."2014-09-29T12:39:19Z<p>Created page with "<pre> ** WHITE information - unlimited distribution ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** Title: ..."</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<tr class="diff-title" lang="en">
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 13:39, 29 September 2014</td>
</tr><tr><td colspan="2" class="diff-notice" lang="en"><div class="mw-diff-empty">(No difference)</div>
</td></tr></table>imported>Lnixonhttps://wiki.egi.eu/w/index.php?title=EGI_CSIRT:Alerts/Shellshock-2014-09-29&diff=70261&oldid=prevLnixon: Created page with "<pre> ** WHITE information - unlimited distribution ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** Title: ..."2014-09-29T12:39:19Z<p>Created page with "<pre> ** WHITE information - unlimited distribution ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** Title: ..."</p>
<p><b>New page</b></p><div><pre><br />
** WHITE information - unlimited distribution **<br />
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **<br />
<br />
Title: URGENT: Update 1: EGI CSIRT 'CRITICAL' Risk - 'shellshock' vulnerability - arbitrary code execution via crafted environment variables<br />
<br />
Date: 2014-09-29<br />
Updated<br />
<br />
<br />
This advisory will be placed on the public wiki at:<br />
<br />
URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Shellshock-2014-09-29<br />
<br />
<br />
Introduction<br />
============<br />
<br />
Multiple vulnerabilities that allows malicious user to run arbitrary<br />
code with the privileges of victim that runs Bash scripts was found in<br />
Bourne Again Shell (bash).<br />
<br />
This has been called the 'shellshock' vulnerability and has been<br />
widely publicised.<br />
<br />
NOTE: EGI CSIRT issued an initial advisory about shellshock on<br />
September 26, but since then additional problems and vulnerabilities<br />
have been discovered.<br />
<br />
All running resources MUST be either patched or otherwise have a<br />
work-around in place by 2014-10-03T21:00+01:00. Sites failing to act<br />
and/or failing to respond to requests from the EGI CSIRT team risk<br />
site suspension.<br />
<br />
<br />
Details<br />
=======<br />
<br />
A specially constructed environment variable that contains a function<br />
definition and trailing executable statements will make bash execute<br />
this code at the point of script initialization. This vulnerability<br />
was assigned CVE-2014-6271 and is assessed CRITICAL by EGI CSIRT.<br />
<br />
The initial patches issued by vendors like Red Hat and Ubuntu have<br />
unfortunately been shown to be incomplete, and multiple additional<br />
weaknesses allowing an attacker to trigger unintended code execution<br />
have been found. The most serious of these is CVE-2014-6278, which is<br />
assessed CRITICAL by EGI CSIRT.<br />
<br />
There is a wide range of vectors that can be used to trigger the<br />
shellshock vulnerabilities, including - but not limited to - batch<br />
systems like Torque and Slurm, web cgi scripts and mail filters like<br />
procmail.<br />
<br />
Various exploits are publically available and are currently being used<br />
on a massive scale by many groups of attackers.<br />
<br />
<br />
Component installation information<br />
==================================<br />
<br />
To fully patch the vulnerabilities, sites must immediately install the<br />
latest bash updates:<br />
<br />
For Red Hat-type systems, these are the versions to update to:<br />
<br />
- Enterprise Linux 7 - bash-4.2.45-5.el7_0.4<br />
- Enterprise Linux 6 - bash-4.1.2-15.el6_5.2<br />
- Enterprise Linux 5 - bash-3.2-33.el5_11.4<br />
- Enterprise Linux 4 - bash-3.0-27.el4.4<br />
<br />
For Ubuntu, these are the versions to update to:<br />
<br />
- Ubuntu 14.04 LTS - bash 4.3-7ubuntu1.4<br />
- Ubuntu 12.04 LTS - bash 4.2-2ubuntu2.5<br />
- Ubuntu 10.04 LTS - bash 4.1-2ubuntu3.4<br />
<br />
<br />
Compatibility notes<br />
===================<br />
<br />
The latest bash update packages unavoidably break backward<br />
compatibility for bash function export.<br />
<br />
This can cause problems for certain software.<br />
<br />
In particular, the TCL modules system wants to export a function<br />
called "module". This was previously stored in a variable called<br />
"module", but with the latest bash patches it needs to be called<br />
"BASH_FUNC_module" instead - there is a separate name space for<br />
functions.<br />
<br />
Thus, if your site depends on TCL modules, it is important to<br />
coordinate updates of bash and modules so that compatible versions are<br />
used. Remember that you may have queued jobs that expect the old bash<br />
syntax and will break with the updated bash. Depending on your<br />
specific local environment, it may be possible to patch queued jobs in<br />
place to use the new bash syntax.<br />
<br />
<br />
Mitigation<br />
==========<br />
<br />
Due to the wide variety of vectors to trigger shellshock, EGI CSIRT<br />
does not consider mitigation efforts a viable approach.<br />
<br />
<br />
Credits<br />
=======<br />
<br />
The initial vulnerability was discovered by Stephane Chazelas (and<br />
named by Andreas Lindh).<br />
<br />
Additional vulnerabilites have been discovered by Florian Weimer,<br />
Michal Zalewski and Todd Sabin.<br />
<br />
<br />
References<br />
==========<br />
<br />
Red Hat support article: https://access.redhat.com/articles/1200223<br />
<br />
Red Hat errata notice: https://rhn.redhat.com/errata/RHSA-2014-1306.html<br />
<br />
Ubuntu security notice: http://www.ubuntu.com/usn/usn-2364-1/<br />
<br />
Zalewski blog entry announcing CVE-2014-6278:<br />
http://lcamtuf.blogspot.se/2014/09/bash-bug-apply-unofficial-patch-now.html<br />
</pre></div>Lnixon