[LACNIC/Seguridad] Fwd: TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)
Herman Mereles
hmereles en senatics.gov.py
Vie Sep 26 13:43:16 BRT 2014
Estimados,
Eso es solo a efectos de verificar que un sistema es vulnerable.
Es importante aclarar que ahora estamos detectando una "barrida"
buscando sitios vulnerables y, en algunos casos, ya detectamos la
expansión de una bot aprovechando la vulnerabilidad.
Saludos
---
El 26/09/14 09:31, Oswaldo Aguirre escribió:
> ciertamente, pero me imagino que, al no haber ninguna
> variable o patron que pueda ser instanciado, no hace mucha
> diferencia, yo usaria simples, en eso concuerdo.
>
> en una de las referencias
> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
> usan las simples
>
> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>
> saludos
>
>
> On Fri, Sep 26, 2014 at 5:33 AM, Jose Luis Gaspoz <gaspozj en is.com.ar
> <mailto:gaspozj en is.com.ar>> wrote:
>
> Hernán:
> ¿no están mal el tipo de comillas en la primera parte del codigo
> del seteo de la variable? .... deberian ser comillas simples y no
> dobles.
> Saludos
> Ing. Jose Luis Gaspoz
> Internet Services S.A.
> Tel: 0342-4565118
> Cel: 342-5008523
> *From:* Herman Mereles <mailto:hmereles en senatics.gov.py>
> *Sent:* Thursday, September 25, 2014 5:32 PM
> *To:* Lista para discusion de seguridad en redes y sistemas
> informaticos de la region <mailto:seguridad en lacnic.net>
> *Subject:* Re: [LACNIC/Seguridad] Fwd: TA14-268A: GNU Bourne Again
> Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)
> Raúl, compañeros,
>
> Este es un boletín que nosotros hemos redactado,
>
> Saludos
> ---
> El 25/09/14 a las 16:19, Raul Cabrera escibió:
>>
>> Del Blog Schneier on Security:
>>
>> *“Nasty Vulnerability found in Bash”
>> (*https://www.schneier.com/blog/archives/2014/09/nasty_vulnerabi.html*)*
>>
>> Saludos cordiales.
>>
>> RAUL EDUARDO CABRERA
>>
>> *De:*Seguridad [mailto:seguridad-bounces en lacnic.net] *En nombre
>> de *Fernando Gont
>> *Enviado el:* jueves, 25 de septiembre de 2014 04:51 p.m.
>> *Para:* Lista para discusión de seguridad en redes y sistemas
>> informaticos de la región
>> *Asunto:* [LACNIC/Seguridad] Fwd: TA14-268A: GNU Bourne Again
>> Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)
>>
>> FYI
>>
>>
>>
>> -------- Forwarded Message --------
>>
>> *Subject: *
>>
>>
>>
>> TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’
>> Vulnerability (CVE-2014-6271,CVE-2014-7169)
>>
>> *Date: *
>>
>>
>>
>> Thu, 25 Sep 2014 14:10:57 -0500
>>
>> *From: *
>>
>>
>>
>> US-CERT mailto:US-CERT en ncas.us-cert.gov
>>
>> *Reply-To: *
>>
>>
>>
>> US-CERT en ncas.us-cert.gov <mailto:US-CERT en ncas.us-cert.gov>
>>
>> *To: *
>>
>>
>>
>> fernando en gont.com.ar <mailto:fernando en gont.com.ar>
>>
>> NCCIC / US-CERT
>>
>> National Cyber Awareness System:
>>
>> *TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’
>> Vulnerability (CVE-2014-6271,CVE-2014-7169)
>> <https://www.us-cert.gov/ncas/alerts/TA14-268A>*
>>
>> /09/25/2014 12:56 PM EDT/
>>
>> Original release date: September 25, 2014
>>
>>
>> Systems Affected
>>
>> * GNU Bash through 4.3.
>> * Linux, BSD, and UNIX distributions including but not limited to:
>>
>> o CentOS
>> <http://lists.centos.org/pipermail/centos/2014-September/146099.html>
>> 5 through 7
>> o Debian
>> <https://lists.debian.org/debian-security-announce/2014/msg00220.html>
>>
>> o Mac OS X
>> o Red Hat Enterprise Linux 4 through 7
>> o Ubuntu <http://www.ubuntu.com/usn/usn-2362-1/> 10.04 LTS,
>> 12.04 LTS, and 14.04 LTS
>>
>>
>> Overview
>>
>> A critical vulnerability has been reported in the GNU Bourne
>> Again Shell (Bash), the common command-line shell used in most
>> Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could
>> allow an attacker to remotely execute shell commands by attaching
>> malicious code in environment variables used by the operating
>> system [1]
>> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>.
>> The United States Department of Homeland Security (DHS) is
>> releasing this Technical Alert to provide further information
>> about the GNU Bash vulnerability.
>>
>>
>> Description
>>
>> GNU Bash versions 1.14 through 4.3 contain a flaw that processes
>> commands placed after function definitions in the added
>> environment variable, allowing remote attackers to execute
>> arbitrary code via a crafted environment which enables
>> network-based exploitation. [2
>> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>,
>> 3 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>]
>>
>> Critical instances where the vulnerability may be exposed
>> include: [4
>> <https://access.redhat.com/security/cve/CVE-2014-6271>, 5
>> <http://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>]
>>
>> * Apache HTTP Server using mod_cgi or mod_cgid scripts either
>> written in bash, or spawn subshells.
>> * Override or Bypass ForceCommand feature in OpenSSH sshd and
>> limited protection for some Git and Subversion deployments
>> used to restrict shells and allows arbitrary command
>> execution capabilities.
>> * Allow arbitrary commands to run on a DHCP client machine,
>> various Daemons and SUID/privileged programs.
>> * Exploit servers and other Unix and Linux devices via Web
>> requests, secure shell, telnet sessions, or other programs
>> that use Bash to execute scripts.
>>
>>
>> Impact
>>
>> This vulnerability is classified by industry standards as “High”
>> impact with CVSS Impact Subscore 10 and “Low” on complexity,
>> which means it takes little skill to perform. This flaw allows
>> attackers to provide specially crafted environment variables
>> containing arbitrary commands that can be executed on vulnerable
>> systems. It is especially dangerous because of the prevalent use
>> of the Bash shell and its ability to be called by an application
>> in numerous ways.
>>
>>
>> Solution
>>
>> Patches have been released to fix this vulnerability by major
>> Linux vendors for affected versions. Solutions for CVE-2014-6271
>> do not completely resolve the vulnerability. It is advised to
>> install existing patches and pay attention for updated patches to
>> address CVE-2014-7169.
>>
>> Many UNIX-like operating systems, including Linux distributions,
>> BSD variants, and Apple Mac OS X include Bash and are likely to
>> be affected. Contact your vendor for updated information. A list
>> of vendors can be found in CERT Vulnerability Note VU#252743
>> <http://www.kb.cert.org/vuls/id/252743> [6]
>> <http://www.kb.cert.org/vuls/id/252743>.
>>
>> US-CERT recommends system administrators review the vendor
>> patches and the NIST Vulnerability Summary for CVE-2014-7169
>> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>,
>> to mitigate damage caused by the exploit.
>>
>>
>> References
>>
>> * Ars Technica, Bug in Bash shell creates big security hole on
>> anything with *nix in it;
>> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
>>
>> * DHS NCSD; Vulnerability Summary for CVE-2014-6271
>> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>
>> * DHS NCSD; Vulnerability Summary for CVE-2014-7169
>> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>
>> * Red Hat, CVE-2014-6271
>> <https://access.redhat.com/security/cve/CVE-2014-6271>
>> * Red Hat, Bash specially-crafted environment variables code
>> injection attack
>> <https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>
>>
>> * CERT Vulnerability Note VU#252743
>> <http://www.kb.cert.org/vuls/id/252743>
>>
>>
>> Revision History
>>
>> * September 25, 2014 - Initial Release
>>
>> ------------------------------------------------------------------------
>>
>> This product is provided subject to this Notification
>> <http://www.us-cert.gov/privacy/notification> and this Privacy &
>> Use <http://www.us-cert.gov/privacy/> policy.
>>
>> ------------------------------------------------------------------------
>>
>> OTHER RESOURCES:
>>
>> Contact Us <http://www.us-cert.gov/contact-us/> | Security
>> Publications <http://www.us-cert.gov/security-publications> |
>> Alerts and Tips <http://www.us-cert.gov/ncas> | Related Resources
>> <http://www.us-cert.gov/related-resources>
>>
>> STAY CONNECTED:
>>
>> Sign up for email updates
>> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>
>>
>>
>>
>>
>>
>>
>>
>>
>> SUBSCRIBER SERVICES:
>> Manage Preferences
>> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true>
>> | Unsubscribe
>> <https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.3401fc02ac14ed36b08029852a939882&destination=fernando@gont.com.ar>
>> | Help <https://subscriberhelp.govdelivery.com/>
>>
>> ------------------------------------------------------------------------
>>
>> This email was sent to fernando en gont.com.ar
>> <mailto:fernando en gont.com.ar> using GovDelivery, on behalf of:
>> United States Computer Emergency Readiness Team (US-CERT) · 245
>> Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110
>> <tel:%28703%29%20235-5110>
>>
>>
>>
>> Powered by GovDelivery
>> <http://www.govdelivery.com/portals/powered-by>
>>
>>
>>
>> --
>> Fernando Gont
>> e-mail:fernando en gont.com.ar <mailto:fernando en gont.com.ar> ||fgont en si6networks.com <mailto:fgont en si6networks.com>
>> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> La información contenida en esta comunicación se dirige
>> exclusivamente para el uso de la persona o entidad a quien va
>> dirigida y otros autorizados para recibirlo. Puede contener
>> información confidencial o legalmente protegida. Si usted no es
>> el destinatario indicado, queda notificado de que cualquier
>> revelación, copia, distribución o tomar cualquier acción basada
>> en el contenido de esta información está estrictamente prohibida
>> y puede ser ilegal. Si usted ha recibido esta comunicación por
>> error, le rogamos nos lo notifique inmediatamente respondiendo a
>> este correo y elimine de su sistema. SADAIC no es responsable de
>> la transmisión correcta y completa de la información contenida en
>> esta comunicación, ni por cualquier retraso en su recepción.
>>
>> The information contained in this communication is intended
>> solely for the use of the individual or entity to whom it is
>> addressed and others authorized to receive it. It may contain
>> confidential or legally privileged information. If you are not
>> the intended recipient you are hereby notified that any
>> disclosure, copying, distribution or taking any action in
>> reliance on the contents of this information is strictly
>> prohibited and may be unlawful. If you have received this
>> communication in error, please notify us immediately by
>> responding to this email and then delete it from your system.
>> SADAIC is neither liable for the proper and complete transmission
>> of the information contained in this communication nor for any
>> delay in its receipt.
>>
>>
>>
>> _______________________________________________
>> Seguridad mailing list
>> Seguridad en lacnic.net <mailto:Seguridad en lacnic.net>
>> https://mail.lacnic.net/mailman/listinfo/seguridad
>
> ------------------------------------------------------------------------
> _______________________________________________
> Seguridad mailing list
> Seguridad en lacnic.net <mailto:Seguridad en lacnic.net>
> https://mail.lacnic.net/mailman/listinfo/seguridad
>
> _______________________________________________
> Seguridad mailing list
> Seguridad en lacnic.net <mailto:Seguridad en lacnic.net>
> https://mail.lacnic.net/mailman/listinfo/seguridad
>
>
>
>
> --
> -----------------------------------------------------------------------------------------------------------------
> Campaña contra el correo SPAM
> - Solo envia el contenido importante
> - Protege y respeta la privacidad de tus amigos.
> - Si reenvias este correo, borra las direcciones anteriores
> - Si lo reenvias a varias personas usa la casilla CCO .
> - Si todos hacemos lo mismo, tambien tu estaras protegid en .
> -----------------------------------------------------------------------------------------------------------------
> - Send only the important text
> - Protect and respect your friends' privacy
> - Delete previous addresses from message body
> - Use the BCC field when sending to several recipients
> - If we all follow these guidelines, we'll all be protected.
>
>
> _______________________________________________
> Seguridad mailing list
> Seguridad en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/seguridad
--
Herman Mereles, Director
Equipo de Respuesta ante Emergencias Cibernéticas (CERT-PY)
Secretaría Nacional de Tecnologías de la Información y Comunicación
SENATICs
Complejo Santos E2 - Gral. Santos 1170 c/ Concordia
cert en cert.gov.py | +595 21 201014 | +595 21 3276902
Asunción - Paraguay | www.cert.gov.py
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/seguridad/attachments/20140926/48ffbf4a/attachment.html>
Más información sobre la lista de distribución Seguridad