[LACNIC/Seguridad] Fwd: TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)

Vie Sep 26 10:31:45 BRT 2014

ciertamente, pero me imagino que, al no haber ninguna
variable o patron que pueda ser instanciado, no hace mucha
diferencia, yo usaria simples, en eso concuerdo.

en una de las referencias
<http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
usan las simples

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

saludos

On Fri, Sep 26, 2014 at 5:33 AM, Jose Luis Gaspoz <gaspozj en is.com.ar> wrote:

>   Hernán:
>
> ¿no están mal el tipo de comillas en la primera parte del codigo del seteo
> de la variable? .... deberian ser comillas simples y no dobles.
>
> Saludos
>
> Ing. Jose Luis Gaspoz
> Internet Services S.A.
> Tel: 0342-4565118
> Cel: 342-5008523
>
>  *From:* Herman Mereles <hmereles en senatics.gov.py>
> *Sent:* Thursday, September 25, 2014 5:32 PM
> *To:* Lista para discusion de seguridad en redes y sistemas informaticos
> de la region <seguridad en lacnic.net>
> *Subject:* Re: [LACNIC/Seguridad] Fwd: TA14-268A: GNU Bourne Again Shell
> (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)
>
> Raúl, compañeros,
>
> Este es un boletín que nosotros hemos redactado,
>
> Saludos
> ---
> El 25/09/14 a las 16:19, Raul Cabrera escibió:
>
>  Del Blog Schneier on Security:
>
>
>
> *“Nasty Vulnerability found in Bash” (*
> https://www.schneier.com/blog/archives/2014/09/nasty_vulnerabi.html *)*
>
>
>
> Saludos cordiales.
>
>
>
>
>
> RAUL EDUARDO CABRERA
>
>
>
>
>
> *De:* Seguridad [mailto:seguridad-bounces en lacnic.net
> <seguridad-bounces en lacnic.net>] *En nombre de *Fernando Gont
> *Enviado el:* jueves, 25 de septiembre de 2014 04:51 p.m.
> *Para:* Lista para discusión de seguridad en redes y sistemas
> informaticos de la región
> *Asunto:* [LACNIC/Seguridad] Fwd: TA14-268A: GNU Bourne Again Shell
> (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)
>
>
>
> FYI
>
>
>
> -------- Forwarded Message --------
>
> *Subject: *
>
> TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability
> (CVE-2014-6271,CVE-2014-7169)
>
> *Date: *
>
> Thu, 25 Sep 2014 14:10:57 -0500
>
> *From: *
>
> US-CERT mailto:US-CERT en ncas.us-cert.gov <US-CERT en ncas.us-cert.gov>
>
> *Reply-To: *
>
> US-CERT en ncas.us-cert.gov
>
> *To: *
>
> fernando en gont.com.ar
>
>
>
> [image: NCCIC / US-CERT]
>
> National Cyber Awareness System:
>
> *TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability
> (CVE-2014-6271,CVE-2014-7169)
> <https://www.us-cert.gov/ncas/alerts/TA14-268A>*
>
> *09/25/2014 12:56 PM EDT*
>
>
>
> Original release date: September 25, 2014
> Systems Affected
>
>    - GNU Bash through 4.3.
>    - Linux, BSD, and UNIX distributions including but not limited to:
>
>
>     - CentOS
>       <http://lists.centos.org/pipermail/centos/2014-September/146099.html>
>       5 through 7
>       - Debian
>       <https://lists.debian.org/debian-security-announce/2014/msg00220.html>
>       - Mac OS X
>       - Red Hat Enterprise Linux 4 through 7
>       - Ubuntu <http://www.ubuntu.com/usn/usn-2362-1/> 10.04 LTS, 12.04
>       LTS, and 14.04 LTS
>
> Overview
>
> A critical vulnerability has been reported in the GNU Bourne Again Shell
> (Bash), the common command-line shell used in most Linux/UNIX operating
> systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely
> execute shell commands by attaching malicious code in environment variables
> used by the operating system [1]
> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>.
> The United States Department of Homeland Security (DHS) is releasing this
> Technical Alert to provide further information about the GNU Bash
> vulnerability.
> Description
>
> GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands
> placed after function definitions in the added environment variable,
> allowing remote attackers to execute arbitrary code via a crafted
> environment which enables network-based exploitation. [2
> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>, 3
> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>]
>
> Critical instances where the vulnerability may be exposed include: [4
> <https://access.redhat.com/security/cve/CVE-2014-6271>, 5
> <http://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>
> ]
>
>    - Apache HTTP Server using mod_cgi or mod_cgid scripts either written
>    in bash, or spawn subshells.
>    - Override or Bypass ForceCommand feature in OpenSSH sshd and limited
>    protection for some Git and Subversion deployments used to restrict shells
>    and allows arbitrary command execution capabilities.
>    - Allow arbitrary commands to run on a DHCP client machine, various
>    Daemons and SUID/privileged programs.
>    - Exploit servers and other Unix and Linux devices via Web requests,
>    secure shell, telnet sessions, or other programs that use Bash to execute
>    scripts.
>
> Impact
>
> This vulnerability is classified by industry standards as “High” impact
> with CVSS Impact Subscore 10 and “Low” on complexity, which means it takes
> little skill to perform. This flaw allows attackers to provide specially
> crafted environment variables containing arbitrary commands that can be
> executed on vulnerable systems. It is especially dangerous because of the
> prevalent use of the Bash shell and its ability to be called by an
> application in numerous ways.
> Solution
>
> Patches have been released to fix this vulnerability by major Linux
> vendors for affected versions. Solutions for CVE-2014-6271 do not
> completely resolve the vulnerability. It is advised to install existing
> patches and pay attention for updated patches to address CVE-2014-7169.
>
> Many UNIX-like operating systems, including Linux distributions, BSD
> variants, and Apple Mac OS X include Bash and are likely to be affected.
> Contact your vendor for updated information. A list of vendors can be found
> in CERT Vulnerability Note VU#252743
> <http://www.kb.cert.org/vuls/id/252743> [6]
> <http://www.kb.cert.org/vuls/id/252743>.
>
> US-CERT recommends system administrators review the vendor patches and the
> NIST Vulnerability Summary for CVE-2014-7169
> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>, to
> mitigate damage caused by the exploit.
> References
>
>    - Ars Technica, Bug in Bash shell creates big security hole on
>    anything with *nix in it;
>    <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
>    - DHS NCSD; Vulnerability Summary for CVE-2014-6271
>    <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>
>    - DHS NCSD; Vulnerability Summary for CVE-2014-7169
>    <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>
>    - Red Hat, CVE-2014-6271
>    <https://access.redhat.com/security/cve/CVE-2014-6271>
>    - Red Hat, Bash specially-crafted environment variables code injection
>    attack
>    <https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>
>    - CERT Vulnerability Note VU#252743
>    <http://www.kb.cert.org/vuls/id/252743>
>
> Revision History
>
>    - September 25, 2014 - Initial Release
>
>  ------------------------------
>
> This product is provided subject to this Notification
> <http://www.us-cert.gov/privacy/notification> and this Privacy & Use
> <http://www.us-cert.gov/privacy/> policy.
>  ------------------------------
>
> OTHER RESOURCES:
>
> Contact Us <http://www.us-cert.gov/contact-us/> | Security Publications
> <http://www.us-cert.gov/security-publications> | Alerts and Tips
> <http://www.us-cert.gov/ncas> | Related Resources
> <http://www.us-cert.gov/related-resources>
>
>
>
> STAY CONNECTED:
>
> [image: Sign up for email updates]
> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>
>
>
>
>
>
>
> SUBSCRIBER SERVICES:
> Manage Preferences
> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true>
> |  Unsubscribe
> <https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.3401fc02ac14ed36b08029852a939882&destination=fernando@gont.com.ar>
> |  Help <https://subscriberhelp.govdelivery.com/>
>  ------------------------------
>
> This email was sent to fernando en gont.com.ar using GovDelivery, on behalf
> of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray
> Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110
>
> [image: Powered by GovDelivery]
> <http://www.govdelivery.com/portals/powered-by>
>
>
>
> --
>
> Fernando Gont
>
> e-mail: fernando en gont.com.ar || fgont en si6networks.com
>
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------
>
> La información contenida en esta comunicación se dirige exclusivamente
> para el uso de la persona o entidad a quien va dirigida y otros autorizados
> para recibirlo. Puede contener información confidencial o legalmente
> protegida. Si usted no es el destinatario indicado, queda notificado de que
> cualquier revelación, copia, distribución o tomar cualquier acción basada
> en el contenido de esta información está estrictamente prohibida y puede
> ser ilegal. Si usted ha recibido esta comunicación por error, le rogamos
> nos lo notifique inmediatamente respondiendo a este correo y elimine de su
> sistema. SADAIC no es responsable de la transmisión correcta y completa de
> la información contenida en esta comunicación, ni por cualquier retraso en
> su recepción.
>
> The information contained in this communication is intended solely for the
> use of the individual or entity to whom it is addressed and others
> authorized to receive it. It may contain confidential or legally privileged
> information. If you are not the intended recipient you are hereby notified
> that any disclosure, copying, distribution or taking any action in reliance
> on the contents of this information is strictly prohibited and may be
> unlawful. If you have received this communication in error, please notify
> us immediately by responding to this email and then delete it from your
> system. SADAIC is neither liable for the proper and complete transmission
> of the information contained in this communication nor for any delay in its
> receipt.
>
>
> _______________________________________________
> Seguridad mailing listSeguridad en lacnic.nethttps://mail.lacnic.net/mailman/listinfo/seguridad
>
>
>  ------------------------------
> _______________________________________________
> Seguridad mailing list
> Seguridad en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/seguridad
>
>
> _______________________________________________
> Seguridad mailing list
> Seguridad en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/seguridad
>
>

-- 
-----------------------------------------------------------------------------------------------------------------
Campaña contra el correo SPAM
- Solo envia el contenido importante
- Protege y respeta la privacidad de tus amigos.
- Si reenvias este correo, borra las direcciones anteriores
- Si lo reenvias a varias personas usa la casilla CCO .
- Si todos hacemos lo mismo, tambien tu estaras protegid en .
-----------------------------------------------------------------------------------------------------------------
- Send only the important text
- Protect and respect your friends' privacy
- Delete previous addresses from message body
- Use the BCC field when sending to several recipients
- If we all follow these guidelines, we'll all be protected.
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/seguridad/attachments/20140926/6a368216/attachment.html>