[LACNIC/Seguridad] Fwd: TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)
Herman Mereles
hmereles en senatics.gov.py
Jue Sep 25 17:32:08 BRT 2014
Raúl, compañeros,
Este es un boletín que nosotros hemos redactado,
Saludos
---
El 25/09/14 a las 16:19, Raul Cabrera escibió:
>
> Del Blog Schneier on Security:
>
> *“Nasty Vulnerability found in Bash”
> (*https://www.schneier.com/blog/archives/2014/09/nasty_vulnerabi.html*)*
>
> Saludos cordiales.
>
> RAUL EDUARDO CABRERA
>
> *De:*Seguridad [mailto:seguridad-bounces en lacnic.net] *En nombre de
> *Fernando Gont
> *Enviado el:* jueves, 25 de septiembre de 2014 04:51 p.m.
> *Para:* Lista para discusión de seguridad en redes y sistemas
> informaticos de la región
> *Asunto:* [LACNIC/Seguridad] Fwd: TA14-268A: GNU Bourne Again Shell
> (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)
>
> FYI
>
>
>
> -------- Forwarded Message --------
>
> *Subject: *
>
>
>
> TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability
> (CVE-2014-6271,CVE-2014-7169)
>
> *Date: *
>
>
>
> Thu, 25 Sep 2014 14:10:57 -0500
>
> *From: *
>
>
>
> US-CERT <US-CERT en ncas.us-cert.gov> <mailto:US-CERT en ncas.us-cert.gov>
>
> *Reply-To: *
>
>
>
> US-CERT en ncas.us-cert.gov <mailto:US-CERT en ncas.us-cert.gov>
>
> *To: *
>
>
>
> fernando en gont.com.ar <mailto:fernando en gont.com.ar>
>
> NCCIC / US-CERT
>
> National Cyber Awareness System:
>
> *TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability
> (CVE-2014-6271,CVE-2014-7169)
> <https://www.us-cert.gov/ncas/alerts/TA14-268A>*
>
> /09/25/2014 12:56 PM EDT/
>
> Original release date: September 25, 2014
>
>
> Systems Affected
>
> * GNU Bash through 4.3.
> * Linux, BSD, and UNIX distributions including but not limited to:
>
> o CentOS
> <http://lists.centos.org/pipermail/centos/2014-September/146099.html>
> 5 through 7
> o Debian
> <https://lists.debian.org/debian-security-announce/2014/msg00220.html>
> o Mac OS X
> o Red Hat Enterprise Linux 4 through 7
> o Ubuntu <http://www.ubuntu.com/usn/usn-2362-1/> 10.04 LTS,
> 12.04 LTS, and 14.04 LTS
>
>
> Overview
>
> A critical vulnerability has been reported in the GNU Bourne Again
> Shell (Bash), the common command-line shell used in most Linux/UNIX
> operating systems and Apple’s Mac OS X. The flaw could allow an
> attacker to remotely execute shell commands by attaching malicious
> code in environment variables used by the operating system [1]
> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>.
> The United States Department of Homeland Security (DHS) is releasing
> this Technical Alert to provide further information about the GNU Bash
> vulnerability.
>
>
> Description
>
> GNU Bash versions 1.14 through 4.3 contain a flaw that processes
> commands placed after function definitions in the added environment
> variable, allowing remote attackers to execute arbitrary code via a
> crafted environment which enables network-based exploitation. [2
> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>, 3
> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>]
>
> Critical instances where the vulnerability may be exposed include: [4
> <https://access.redhat.com/security/cve/CVE-2014-6271>, 5
> <http://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>]
>
> * Apache HTTP Server using mod_cgi or mod_cgid scripts either
> written in bash, or spawn subshells.
> * Override or Bypass ForceCommand feature in OpenSSH sshd and
> limited protection for some Git and Subversion deployments used to
> restrict shells and allows arbitrary command execution capabilities.
> * Allow arbitrary commands to run on a DHCP client machine, various
> Daemons and SUID/privileged programs.
> * Exploit servers and other Unix and Linux devices via Web requests,
> secure shell, telnet sessions, or other programs that use Bash to
> execute scripts.
>
>
> Impact
>
> This vulnerability is classified by industry standards as “High”
> impact with CVSS Impact Subscore 10 and “Low” on complexity, which
> means it takes little skill to perform. This flaw allows attackers to
> provide specially crafted environment variables containing arbitrary
> commands that can be executed on vulnerable systems. It is especially
> dangerous because of the prevalent use of the Bash shell and its
> ability to be called by an application in numerous ways.
>
>
> Solution
>
> Patches have been released to fix this vulnerability by major Linux
> vendors for affected versions. Solutions for CVE-2014-6271 do not
> completely resolve the vulnerability. It is advised to install
> existing patches and pay attention for updated patches to address
> CVE-2014-7169.
>
> Many UNIX-like operating systems, including Linux distributions, BSD
> variants, and Apple Mac OS X include Bash and are likely to be
> affected. Contact your vendor for updated information. A list of
> vendors can be found in CERT Vulnerability Note VU#252743
> <http://www.kb.cert.org/vuls/id/252743> [6]
> <http://www.kb.cert.org/vuls/id/252743>.
>
> US-CERT recommends system administrators review the vendor patches and
> the NIST Vulnerability Summary for CVE-2014-7169
> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>, to
> mitigate damage caused by the exploit.
>
>
> References
>
> * Ars Technica, Bug in Bash shell creates big security hole on
> anything with *nix in it;
> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
> * DHS NCSD; Vulnerability Summary for CVE-2014-6271
> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>
> * DHS NCSD; Vulnerability Summary for CVE-2014-7169
> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>
> * Red Hat, CVE-2014-6271
> <https://access.redhat.com/security/cve/CVE-2014-6271>
> * Red Hat, Bash specially-crafted environment variables code
> injection attack
> <https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>
> * CERT Vulnerability Note VU#252743
> <http://www.kb.cert.org/vuls/id/252743>
>
>
> Revision History
>
> * September 25, 2014 - Initial Release
>
> ------------------------------------------------------------------------
>
> This product is provided subject to this Notification
> <http://www.us-cert.gov/privacy/notification> and this Privacy & Use
> <http://www.us-cert.gov/privacy/> policy.
>
> ------------------------------------------------------------------------
>
> OTHER RESOURCES:
>
> Contact Us <http://www.us-cert.gov/contact-us/> | Security
> Publications <http://www.us-cert.gov/security-publications> | Alerts
> and Tips <http://www.us-cert.gov/ncas> | Related Resources
> <http://www.us-cert.gov/related-resources>
>
> STAY CONNECTED:
>
> Sign up for email updates
> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>
>
>
>
>
>
>
>
>
> SUBSCRIBER SERVICES:
> Manage Preferences
> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true> |
> Unsubscribe
> <https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.3401fc02ac14ed36b08029852a939882&destination=fernando@gont.com.ar> |
> Help <https://subscriberhelp.govdelivery.com/>
>
> ------------------------------------------------------------------------
>
> This email was sent to fernando en gont.com.ar
> <mailto:fernando en gont.com.ar> using GovDelivery, on behalf of: United
> States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane
> SW Bldg 410 · Washington, DC 20598 · (703) 235-5110
>
>
>
> Powered by GovDelivery <http://www.govdelivery.com/portals/powered-by>
>
>
>
> --
> Fernando Gont
> e-mail:fernando en gont.com.ar <mailto:fernando en gont.com.ar> ||fgont en si6networks.com <mailto:fgont en si6networks.com>
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
>
>
> ------------------------------------------------------------------------
>
> La información contenida en esta comunicación se dirige exclusivamente
> para el uso de la persona o entidad a quien va dirigida y otros
> autorizados para recibirlo. Puede contener información confidencial o
> legalmente protegida. Si usted no es el destinatario indicado, queda
> notificado de que cualquier revelación, copia, distribución o tomar
> cualquier acción basada en el contenido de esta información está
> estrictamente prohibida y puede ser ilegal. Si usted ha recibido esta
> comunicación por error, le rogamos nos lo notifique inmediatamente
> respondiendo a este correo y elimine de su sistema. SADAIC no es
> responsable de la transmisión correcta y completa de la información
> contenida en esta comunicación, ni por cualquier retraso en su recepción.
>
> The information contained in this communication is intended solely for
> the use of the individual or entity to whom it is addressed and others
> authorized to receive it. It may contain confidential or legally
> privileged information. If you are not the intended recipient you are
> hereby notified that any disclosure, copying, distribution or taking
> any action in reliance on the contents of this information is strictly
> prohibited and may be unlawful. If you have received this
> communication in error, please notify us immediately by responding to
> this email and then delete it from your system. SADAIC is neither
> liable for the proper and complete transmission of the information
> contained in this communication nor for any delay in its receipt.
>
>
>
> _______________________________________________
> Seguridad mailing list
> Seguridad en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/seguridad
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/seguridad/attachments/20140925/eff2285e/attachment.html>
------------ próxima parte ------------
A non-text attachment was scrubbed...
Name: Boletin_20140925_Vulnerabilidad_Bash.pdf
Type: application/pdf
Size: 75790 bytes
Desc: no disponible
URL: <https://mail.lacnic.net/pipermail/seguridad/attachments/20140925/eff2285e/attachment.pdf>
Más información sobre la lista de distribución Seguridad