Shellshock Bash bug

With the Heartbleed bug still fresh on our minds we are now dealing with a new one: Shellshock bash bug. Bourne-Again Shell or Bash is a shell program mostly used on Linux/Unix platforms and Apple’s Mac Os x.

Vulnerable Shellshock Bash bug systems

As we use several Linux distro’s for firewalls, email filtering, virtualization, routing and website hosting I made a collection of the affected systems used in our organization and shared my problem solving knowledge.

1. Raspberry PI

Raspberry PI Rasbian Debian Wheezy is affected by the bug. To check if your Raspberry is vulnerable:

Log in with Ssh. Copy/past this command (without the brackets [ ]):

[env X=”() { :;} ; echo busted” `which bash` -c “echo completed”]

If the output is:

busted
completed

Then your Pi is affected. I resolved this by updating the Raspberry Pi using this command:

sudo apt-get update && sudo apt-get -y dist-upgrade

Note: updating your Pi takes a while.
More information can be found here.

2. PFSense

PFSense base system is not affected by this bug but some packages are affected. More information can be found here.

Quote:

Affected packages have been either updated or removed (thanks to garga).

* FreeRADIUS2: Package updated with a patched version of bash
* Mailscanner: Package updated with a patched version of bash
* FreeSWITCH/FreeSWITCH-dev: -dev variant attempted to install bash via pkg_add. Unmaintained, FreeBSD removed it from ports tree. Removed package.

Other packages that had a reference to bash but are not vulnerable:

* Anyterm: Defaulted to attempt to run bash. Unmaintained, package removed.
* git: Used bash during build, but did not include bash in its PBI
* avahi: Used bash during build, but did not include bash in its PBI
* ntopng : Used bash during build, but did not include bash in its PBI

So check your PFS packages for updates in order to survive the Shellshock Bash bug.

3. Turnkey Linux WordPress

Some older TKL versions are affected. Our systems running TKL v13.1 were not affected. More information can be found here.

Quote:

As the security fixed version should have been applied by TKL’s auto security updates you should be good to go. To double check jlain’s advice above also applies to Wheezy based appliances (i.e. TKL v13.x):

dpkg -s bash | grep Version
In v13.x/Wheezy appliances the vulnerable version is 4.2+dfsg-0.1

If you have 4.2+dfsg-0.1+deb7u1 or newer then you are good. (FWIW I have 4.2+dfsg-0.1+deb7u3 on my TKL v13.1 systems).

4. Last but not least: VMware ESXi hypervisors

The affect of the Shellshock Bash bug on ESXi for us is minimal. As far as I understand if you’re running the vCenter Server appliance (we use vCenter Server on top of Windows) you might be affected by this bug. More information can be found here.

Update 10-8-2014: VMware is offering patches; more information can be found here.

Shellshock Bash bug – final thoughts

Finally I would like to emphasize that the Shellshock bug is, like Heartbleed, extremely dangerous and gets a score of 10/10 from severity point of view. Please do check your systems as soon as possible, unless not being used in production environments and published to the WWW.

Please share your thoughts on this subject by leaving a comment.

Shellshock Bash bug

Terms And Conditions Of Use
© 2014 Datamirage. All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner of Datamirage will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.
 
 

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *