Warning to Linux and Apple users [CVE-2014-6271 & CVE-2014-7169]

Author Comment
User avatar

Posts: 178

Have the tech gurus here seen this warning to Linux and Apple users? ~ how serious is it?

http://news.msn.com/science-technology/new-bash-software-bug-may-pose-bigger-threat-than-heartbleed

Sooz

User avatar

Admin

Posts: 11073

Thanks for the heads-up, Sooz!

It's serious alright. Just how likely it is to be able to be exploited is the real question though. It's the Internet facing machines that are at the biggest risk right now. The majority of the Internet runs on Linux.

User avatar

Posts: 2263

Apple provided a statement yesterday.

The vast majority of OS X users are not at risk to recently reported bash vulnerabilities. Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.

Until Apple provides an update, the fix would be to recompile Bash with official patches from GNU.

Apple says most customers not vulnerable to 'shellshock,' patch coming for advanced users

Apple: Most OS X users safe from 'Shellshock' exploit, patch coming quickly for advanced Unix users

User avatar

Admin

Posts: 11073

The trouble is that the patch is not 100%. While it is worth having, a later patch will be required.

While bash is protected behind a login/s, other utilities may be authorized to use it and these other utilities may, as a result of their purpose, accept input, which in turn is relayed to bash and these utilities require no login.

To be clear, patches have existed since Monday and anyone who uses auto-updates (default) on Linux, will already have been patched. This patch is not 100% and another will be required, once it exists. One should not wait and still apply the less than perfect patch.

What is scarey is that this vulnerability is wormable. i.e. easily able to replicate and transfer from system to system. Make sure ALL your *NIX systems are patched and not just some.

This includes Android based phones and most routers. Clearly, it also includes iOS devices.

The answer to just how vulnerable anyone is is an unequivocal "depends". It depends on your setup and what you run.

User avatar

Posts: 825

andrew wrote:.............. and anyone who uses auto-updates (default) on Linux, will already have been patched.


I'm not sure whether I do or not, on my desktop and laptop :eek How does one tell?

User avatar

Admin

Posts: 11073

You'd have the icon in your taskbar if you did. (You don't on your desktop machine.) Just run update manager or synaptic package manager (select upgradeable [or search 'bash']). You should end up with version 4.2-2ubuntu2.3. (4.2-2ubuntu2.2 was released on Monday and 4.2-2ubuntu2.3 was released on Thursday and is still flagged as incomplete.)

User avatar

Posts: 825

Thanks for the info

desktop - using Synaptic, upgraded successfully :)

laptop - using Synaptic, gave errors

"W: Failed to fetch http://archive.ubuntu.com/pool/b/bash/b ... _amd64.deb 404 Not found [IP: 91.189.91.14 80]"
"W: Failed to fetch http://archive.ubuntu.com/pool/b/bash/b ... .1_all.deb 404 Not found [IP: 91.189.91.14 80]"

User avatar

Admin

Posts: 11073

That would be correct. Look at the versions you are trying to upgrade to.

Install it manually from this:
http://launchpadlibrarian.net/185730797 ... _amd64.deb

User avatar

Posts: 825

I launched Update Manager and asked for updates then had to pop out. Just come in and Bash is now v25, so it looks like there's been another in the last hour

User avatar

Admin

Posts: 11073

Um, well, actually yesterday ... but not even 24 hours has passed yet. :lol

User avatar

Posts: 825

errrr, I'm not following this at all.
Back home again, at least for a bit :)

desktop (Synaptic) found v2.3 and updated to that

10 mins later ..............

laptop (Synaptic) couldn't find whatever it searched for and gave errors
laptop (Update Manager) found v2.5 and updated to that

now I try desktop (Synaptic) and it still reckons v2.3

Surely v2.5 should be applied to both desktop and laptop? and if linux tools (Synaptic / Update Manager) can't find whatever is deemed the latest how would one know to go to "launchpadlibrarian"?

User avatar

Admin

Posts: 11073

Perhaps both right. The update may have been created yesterday but it only shows having been released 4 hours ago:

https://launchpad.net/ubuntu/+source/bash

Use Google. Google the detail. It will turn up in the first result or two.

"Refresh" synaptic.

User avatar

Posts: 2263

From what I can tell, Bash doesn't exist on iOS, and I don't believe it's part of default Android installations either.

Jailbroken/rooted iOS and Android devices are likely to have Bash, though. It's not clear whether or not they'd be vulnerable by default or if a setting would have to be changed (like OS X) for them to become vulnerable.

User avatar

Admin

Posts: 11073

(Google's Android and Apple's iOS mobile OS's are also UNIX-like, but don't often use Bash, if ever.)
source

As I said above, it is an unequivocal "depends".

User avatar

Posts: 2263

It's very hard to sort this out, and articles changed a bit after Apple's statement. The one you cite came before the statement. I believe I read it a couple of days ago; the line you quoted sounds familiar.

One article I read mentioned that the two common iOS jailbreaking schemes each installed Bash, then postulated that installing Bash wouldn't likely be necessary if it already existed in iOS.

If Bash is buried in iOS, I think that it'd be highly unlikely that a user would be able to invoke the conditions necessary for the bug to kick in. There simply isn't that level of OS access without jailbreaking.

User avatar

Admin

Posts: 11073

What I don't get is why there is no mention of any statement from Apple saying that iOS is 100% immune. Plenty quotes saying OS X is potentially vulnerable (but unlikely for the majority of users). Not an official word about iOS?

User avatar

Posts: 2263

The situation was that an Apple spokesperson talked to a reporter. It's unfortunate that the reporter didn't appear to ask or that the spokesperson didn't think to volunteer the information.

I think that if there were a problem with iOS and Android, the mainstream blogs would have picked up on it. This would be especially newsworthy if the issue exists in Android as most Android users would be likely to never receive an update.

We're also not very clear on how much danger this poses to Linux users who aren't using their computers as "internet-facing" devices. Would the settings that open up the vulnerability be enabled by default, or would they be shut off like they are on Macs?

User avatar

Admin

Posts: 11073

If networked to other machines or if they execute something from say a memory stick, there could be problems but a completely isolated machine is at zero risk.

Devices like routers could pose a serious problem globally.

Here is a list of (some) manufacturers that include bash from the DHS.

Personally, I am not sweating it. I have several Linux machines and only 2 have been updated. The highest risk one was done first. This machine is rarely on the network. Everyday machine is done. Risk varies on others but they will be updated if they will be at increased risk.

I'm mildly concerned about online data. The risks can be mitigated to a large extent and I am sure hosts are fairly on top of things. I think the best overall advice is to make sure you have data backups in more than one location, with at least one of these locations being completely offline.

Generally, Apple users that are at risk will likely know they are at risk and be able to reduce/remove that risk.

Default Linux installations will likely have been automatically patched. Someone has to turn off automatic updates and anyone that does likely knows this.

Aside: The issue Paul had above in trying to download a version that did not exist is a result of not updating. If there is a serious issue with a version, it will be completely withdrawn. The package manager then ends up being unable to download the "update", even if there is a superseded one. It's a weakness. Heck, it is an annoyance! LOL However, there are easy but tedious workarounds.

Now, I am not gonna dash off and update everything... It takes less than 2 mins to do and I will do it as and when I boot a machine. I AM concerned about my router. This I will have to look into.

People who use "live disks" are at a considerable risk. I use them quite a lot, even on a Windows machine. These disks all contain a vulnerable version of bash and if the timing ain't right ... there could be problems!

On my todo list is to check the various bash scripts that I have written to make sure they are continuing to work. They should but I just want to make absolutely sure for peace of mind.

User avatar

Posts: 2263

There are Bash updates on Apple's website for Mavericks (10.9), Mountain Lion (10.8), and Lion (10.7). I haven't seen it in the automatic software update mechanism yet.

At this point, there doesn't appear to be an update for Yosemite (10.10) testers. These people get very frequent updates, so I'd assume that Bash in Yosemite will be addressed shortly.

Apple releases OS X bash update 1.0 addressing Shellshock vulnerability

User avatar

Admin

Posts: 11073

This makes sense (even though it is diabolically slow). If people actually need the patched version, they will likely know it and be able to download and install it themselves. The patch is likely only partial (I see no mention currently) and perhaps Apple await a full patch before releasing it via automatic updates.

Mavericks: 3.4MB
Mountain Lion: 34.3MB
Lion: 3.5MB

Seems kinda weird with the Ubuntu update being 6xxKB.

What perhaps is not being considered are machines that have changed hands. i.e. a machine that has at some point in the past had advanced services configured by a different user. This may also hold true where families share a machine and one of the kids configures it. Someone messing around with the configuration in ignorance could also place themselves at increased risk.

I don't like how Apple Users are being treated. There was no immediate and clear statement. (Is there yet?) Patches - no matter how complete - not made available promptly (and yet we know it is possible and every other *NIX system has). Instead, Users are left to worry and/or attempt to patch their own systems, with patches sourced elsewhere.

I know you do not think there are many legacy machines out there but frankly, I see a scary amount. These machines are more at risk and yet are not supported. In general, these people are under the illusion that any Apple is secure. They never bothered to update and are likely oblivious to the risks.

There is also not enough being said about applications. An installed application can use bash. An app on iOS could install and use bash. (the bash interpreter is not present by default on iOS)

In general, we trust 3rd party vendors not to abuse the privilege or place us at risk. True, Apple have their store, where everything can be vetted but it was not always this way. I do wonder just how many of these applications that have been vetted actually use bash or reconfigure environment variables. Apple would have deemed these "safe" as bash had been deemed "safe", as were environment variable changes made.

Similar could be said for Android.

Aside: I cannot help but see the funny side of things. This simple weakness has existed for 25 years and a great many Companies and Organizations have used *NIX over that time and likely still do. This has possibly been exploited by many over the years and just never discovered. Governments, security agencies, utility companies, air traffic control, web hosts, you name it, have all been at risk. The simple things can often be overlooked. This has been overlooked by millions and many of these in a position to actually know.

I'm guilty myself: "Oh, it has been around for x years and nobody has reported an issue with it (so it should be OK)."

Display posts from previous:  Sort by  



Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group