[LACNIC/Seguridad] Fwd: TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)
Paul F. Bernal B., Ing.
paul.bernal en cedia.org.ec
Vie Sep 26 16:18:01 BRT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Estimad en s,
La mayoría de distros mayores ofrecieron hasta ayer actualizaciones al
CVE-2014-6271, que contenían ya el parche para dicha vulnerabilidad.
Enseguida se reportó que este parche era insuficiente, abriéndose
antier el CVE-2014-7169.
Ayer, RH publicó su update con 3 parches relativos al caso:
bash-4.2-cve-2014-7169-0.patch
bash-4.2-cve-2014-7169-1.patch
bash-4.2-cve-2014-7169-2.patch
Hoy CentOS puso su actualización a eso de las 02h y pico. Presumo el
resto de distros mayores como Debian debieron hacer lo mismo.
Importante! es probable que la actualización que implementaron
ayer/hoy no sea suficiente, es necesario mandar a actualizar los
sistemas nuevamente (aún si pasa la prueba sobre la que se discute de
las comillas):
En el caso de CentOS o RHEL debe ejecutarse:
# yum update bash (o podría usarse yum update para actualizar todos los
paquetes que requieran ser actualizados).
En el caso de ubuntu y debian podría utilizarse:
#apt-get update; apt-get upgrade
On 26/09/14 11:43, Herman Mereles wrote:
> Estimados,
>
> Eso es solo a efectos de verificar que un sistema es vulnerable. Es
> importante aclarar que ahora estamos detectando una "barrida"
> buscando sitios vulnerables y, en algunos casos, ya detectamos la
> expansión de una bot aprovechando la vulnerabilidad.
>
> Saludos --- El 26/09/14 09:31, Oswaldo Aguirre escribió:
>> ciertamente, pero me imagino que, al no haber ninguna variable o
>> patron que pueda ser instanciado, no hace mucha diferencia, yo
>> usaria simples, en eso concuerdo.
>>
>> en una de las referencias
>> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
>>
>>
usan las simples
>>
>> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>>
>> saludos
>>
>>
>> On Fri, Sep 26, 2014 at 5:33 AM, Jose Luis Gaspoz
>> <gaspozj en is.com.ar <mailto:gaspozj en is.com.ar>> wrote:
>>
>> Hernán:
>>
>> ¿no están mal el tipo de comillas en la primera parte del codigo
>> del seteo de la variable? .... deberian ser comillas simples y
>> no dobles.
>>
>> Saludos
>>
>> Ing. Jose Luis Gaspoz Internet Services S.A. Tel: 0342-4565118
>> Cel: 342-5008523
>>
>> *From:* Herman Mereles <mailto:hmereles en senatics.gov.py> *Sent:*
>> Thursday, September 25, 2014 5:32 PM *To:* Lista para discusion
>> de seguridad en redes y sistemas informaticos de la region
>> <mailto:seguridad en lacnic.net> *Subject:* Re: [LACNIC/Seguridad]
>> Fwd: TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’
>> Vulnerability (CVE-2014-6271,CVE-2014-7169)
>>
>> Raúl, compañeros,
>>
>> Este es un boletín que nosotros hemos redactado,
>>
>> Saludos --- El 25/09/14 a las 16:19, Raul Cabrera escibió:
>>>
>>> Del Blog Schneier on Security:
>>>
>>>
>>>
>>> *“Nasty Vulnerability found in Bash”
>>> (*https://www.schneier.com/blog/archives/2014/09/nasty_vulnerabi.html*)*
>>>
>>>
>>>
>>>
>>> Saludos cordiales.
>>>
>>>
>>>
>>>
>>>
>>> RAUL EDUARDO CABRERA
>>>
>>>
>>>
>>>
>>>
>>> *De:*Seguridad [mailto:seguridad-bounces en lacnic.net] *En
>>> nombre de *Fernando Gont *Enviado el:* jueves, 25 de septiembre
>>> de 2014 04:51 p.m. *Para:* Lista para discusión de seguridad en
>>> redes y sistemas informaticos de la región *Asunto:*
>>> [LACNIC/Seguridad] Fwd: TA14-268A: GNU Bourne Again Shell
>>> (Bash) ‘Shellshock’ Vulnerability
>>> (CVE-2014-6271,CVE-2014-7169)
>>>
>>>
>>>
>>> FYI
>>>
>>>
>>>
>>> -------- Forwarded Message --------
>>>
>>> *Subject: *
>>>
>>>
>>>
>>> TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’
>>> Vulnerability (CVE-2014-6271,CVE-2014-7169)
>>>
>>> *Date: *
>>>
>>>
>>>
>>> Thu, 25 Sep 2014 14:10:57 -0500
>>>
>>> *From: *
>>>
>>>
>>>
>>> US-CERT mailto:US-CERT en ncas.us-cert.gov
>>>
>>> *Reply-To: *
>>>
>>>
>>>
>>> US-CERT en ncas.us-cert.gov <mailto:US-CERT en ncas.us-cert.gov>
>>>
>>> *To: *
>>>
>>>
>>>
>>> fernando en gont.com.ar <mailto:fernando en gont.com.ar>
>>>
>>>
>>>
>>> NCCIC / US-CERT
>>>
>>> National Cyber Awareness System:
>>>
>>> *TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’
>>> Vulnerability (CVE-2014-6271,CVE-2014-7169)
>>> <https://www.us-cert.gov/ncas/alerts/TA14-268A>*
>>>
>>> /09/25/2014 12:56 PM EDT/
>>>
>>>
>>>
>>> Original release date: September 25, 2014
>>>
>>>
>>> Systems Affected
>>>
>>> * GNU Bash through 4.3. * Linux, BSD, and UNIX distributions
>>> including but not limited to:
>>>
>>> o CentOS
>>> <http://lists.centos.org/pipermail/centos/2014-September/146099.html>
>>>
>>>
5 through 7
>>> o Debian
>>> <https://lists.debian.org/debian-security-announce/2014/msg00220.html>
>>>
>>>
>>>
o Mac OS X
>>> o Red Hat Enterprise Linux 4 through 7 o Ubuntu
>>> <http://www.ubuntu.com/usn/usn-2362-1/> 10.04 LTS, 12.04 LTS,
>>> and 14.04 LTS
>>>
>>>
>>> Overview
>>>
>>> A critical vulnerability has been reported in the GNU Bourne
>>> Again Shell (Bash), the common command-line shell used in most
>>> Linux/UNIX operating systems and Apple’s Mac OS X. The flaw
>>> could allow an attacker to remotely execute shell commands by
>>> attaching malicious code in environment variables used by the
>>> operating system [1]
>>> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>.
>>>
>>>
The United States Department of Homeland Security (DHS) is
>>> releasing this Technical Alert to provide further information
>>> about the GNU Bash vulnerability.
>>>
>>>
>>> Description
>>>
>>> GNU Bash versions 1.14 through 4.3 contain a flaw that
>>> processes commands placed after function definitions in the
>>> added environment variable, allowing remote attackers to
>>> execute arbitrary code via a crafted environment which enables
>>> network-based exploitation. [2
>>> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>,
>>>
>>>
3 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>]
>>>
>>> Critical instances where the vulnerability may be exposed
>>> include: [4
>>> <https://access.redhat.com/security/cve/CVE-2014-6271>, 5
>>> <http://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>]
>>>
>>>
>>>
* Apache HTTP Server using mod_cgi or mod_cgid scripts either
>>> written in bash, or spawn subshells. * Override or Bypass
>>> ForceCommand feature in OpenSSH sshd and limited protection for
>>> some Git and Subversion deployments used to restrict shells and
>>> allows arbitrary command execution capabilities. * Allow
>>> arbitrary commands to run on a DHCP client machine, various
>>> Daemons and SUID/privileged programs. * Exploit servers and
>>> other Unix and Linux devices via Web requests, secure shell,
>>> telnet sessions, or other programs that use Bash to execute
>>> scripts.
>>>
>>>
>>> Impact
>>>
>>> This vulnerability is classified by industry standards as
>>> “High” impact with CVSS Impact Subscore 10 and “Low” on
>>> complexity, which means it takes little skill to perform. This
>>> flaw allows attackers to provide specially crafted environment
>>> variables containing arbitrary commands that can be executed on
>>> vulnerable systems. It is especially dangerous because of the
>>> prevalent use of the Bash shell and its ability to be called by
>>> an application in numerous ways.
>>>
>>>
>>> Solution
>>>
>>> Patches have been released to fix this vulnerability by major
>>> Linux vendors for affected versions. Solutions for
>>> CVE-2014-6271 do not completely resolve the vulnerability. It
>>> is advised to install existing patches and pay attention for
>>> updated patches to address CVE-2014-7169.
>>>
>>> Many UNIX-like operating systems, including Linux
>>> distributions, BSD variants, and Apple Mac OS X include Bash
>>> and are likely to be affected. Contact your vendor for updated
>>> information. A list of vendors can be found in CERT
>>> Vulnerability Note VU#252743
>>> <http://www.kb.cert.org/vuls/id/252743> [6]
>>> <http://www.kb.cert.org/vuls/id/252743>.
>>>
>>> US-CERT recommends system administrators review the vendor
>>> patches and the NIST Vulnerability Summary for CVE-2014-7169
>>> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>,
>>>
>>>
to mitigate damage caused by the exploit.
>>>
>>>
>>> References
>>>
>>> * Ars Technica, Bug in Bash shell creates big security hole on
>>> anything with *nix in it;
>>> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
>>>
>>>
>>>
* DHS NCSD; Vulnerability Summary for CVE-2014-6271
>>> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>
>>>
>>>
* DHS NCSD; Vulnerability Summary for CVE-2014-7169
>>> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>
>>>
>>>
* Red Hat, CVE-2014-6271
>>> <https://access.redhat.com/security/cve/CVE-2014-6271> * Red
>>> Hat, Bash specially-crafted environment variables code
>>> injection attack
>>> <https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>
>>>
>>>
>>>
* CERT Vulnerability Note VU#252743
>>> <http://www.kb.cert.org/vuls/id/252743>
>>>
>>>
>>> Revision History
>>>
>>> * September 25, 2014 - Initial Release
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>>
This product is provided subject to this Notification
>>> <http://www.us-cert.gov/privacy/notification> and this Privacy
>>> & Use <http://www.us-cert.gov/privacy/> policy.
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>>
OTHER RESOURCES:
>>>
>>> Contact Us <http://www.us-cert.gov/contact-us/> | Security
>>> Publications <http://www.us-cert.gov/security-publications> |
>>> Alerts and Tips <http://www.us-cert.gov/ncas> | Related
>>> Resources <http://www.us-cert.gov/related-resources>
>>>
>>>
>>>
>>> STAY CONNECTED:
>>>
>>> Sign up for email updates
>>> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>
>>>
>>>
>>>
>>>
>>> SUBSCRIBER SERVICES: Manage Preferences
>>> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true>
>>> | Unsubscribe
>>> <https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.3401fc02ac14ed36b08029852a939882&destination=fernando@gont.com.ar>
>>> | Help <https://subscriberhelp.govdelivery.com/>
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>>
This email was sent to fernando en gont.com.ar
>>> <mailto:fernando en gont.com.ar> using GovDelivery, on behalf of:
>>> United States Computer Emergency Readiness Team (US-CERT) ·
>>> 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703)
>>> 235-5110 <tel:%28703%29%20235-5110>
>>>
>>>
>>>
>>> Powered by GovDelivery
>>> <http://www.govdelivery.com/portals/powered-by>
>>>
>>>
>>>
>>> -- Fernando Gont e-mail: fernando en gont.com.ar
>>> <mailto:fernando en gont.com.ar> || fgont en si6networks.com
>>> <mailto:fgont en si6networks.com> PGP Fingerprint: 7809 84F5 322E
>>> 45C7 F1C9 3945 96EE A9EF D076 FFF1
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>>
La información contenida en esta comunicación se dirige
>>> exclusivamente para el uso de la persona o entidad a quien va
>>> dirigida y otros autorizados para recibirlo. Puede contener
>>> información confidencial o legalmente protegida. Si usted no
>>> es el destinatario indicado, queda notificado de que cualquier
>>> revelación, copia, distribución o tomar cualquier acción
>>> basada en el contenido de esta información está estrictamente
>>> prohibida y puede ser ilegal. Si usted ha recibido esta
>>> comunicación por error, le rogamos nos lo notifique
>>> inmediatamente respondiendo a este correo y elimine de su
>>> sistema. SADAIC no es responsable de la transmisión correcta y
>>> completa de la información contenida en esta comunicación, ni
>>> por cualquier retraso en su recepción.
>>>
>>> The information contained in this communication is intended
>>> solely for the use of the individual or entity to whom it is
>>> addressed and others authorized to receive it. It may contain
>>> confidential or legally privileged information. If you are not
>>> the intended recipient you are hereby notified that any
>>> disclosure, copying, distribution or taking any action in
>>> reliance on the contents of this information is strictly
>>> prohibited and may be unlawful. If you have received this
>>> communication in error, please notify us immediately by
>>> responding to this email and then delete it from your system.
>>> SADAIC is neither liable for the proper and complete
>>> transmission of the information contained in this communication
>>> nor for any delay in its receipt.
>>>
>>>
>>>
>>> _______________________________________________ Seguridad
>>> mailing list Seguridad en lacnic.net
>>> <mailto:Seguridad en lacnic.net>
>>> https://mail.lacnic.net/mailman/listinfo/seguridad
>>
>> ------------------------------------------------------------------------
>>
>>
_______________________________________________
>> Seguridad mailing list Seguridad en lacnic.net
>> <mailto:Seguridad en lacnic.net>
>> https://mail.lacnic.net/mailman/listinfo/seguridad
>>
>> _______________________________________________ Seguridad mailing
>> list Seguridad en lacnic.net <mailto:Seguridad en lacnic.net>
>> https://mail.lacnic.net/mailman/listinfo/seguridad
>>
>>
>>
>>
>> --
>> -----------------------------------------------------------------------------------------------------------------
>>
>>
Campaña contra el correo SPAM
>> - Solo envia el contenido importante - Protege y respeta la
>> privacidad de tus amigos. - Si reenvias este correo, borra las
>> direcciones anteriores - Si lo reenvias a varias personas usa la
>> casilla CCO . - Si todos hacemos lo mismo, tambien tu estaras
>> protegid en .
>> -----------------------------------------------------------------------------------------------------------------
>>
>>
- - Send only the important text
>> - Protect and respect your friends' privacy - Delete previous
>> addresses from message body - Use the BCC field when sending to
>> several recipients - If we all follow these guidelines, we'll all
>> be protected.
>>
>>
>> _______________________________________________ Seguridad mailing
>> list Seguridad en lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/seguridad
>
>
> -- Herman Mereles, Director Equipo de Respuesta ante Emergencias
> Cibernéticas (CERT-PY) Secretaría Nacional de Tecnologías de la
> Información y Comunicación SENATICs Complejo Santos E2 - Gral.
> Santos 1170 c/ Concordia cert en cert.gov.py | +595 21 201014 | +595
> 21 3276902 Asunción - Paraguay | www.cert.gov.py
>
>
>
> Email secured by Check Point
>
>
>
> _______________________________________________ Seguridad mailing
> list Seguridad en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/seguridad
>
- --
Salu2
Paul F. Bernal B., Ing.
CSIRT-CEDIA
Telf: +593 9 8466 9053 (M)
GPG key: CD2AD375
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUJbvpAAoJEIoQbXHNKtN1yysP/2bdr1w6ktjZSBFNxjBF1MLz
nDr4ZilcQHmGMq3k4OPlzIInmpulb6cA1LJSl8klTPOy5Ds62zn4WeO20+Q49MfX
BR6SSneXF/eqrc/9eBBtGMm0e21aRr3uJRFCRz2xNUhm2tfUVrI3EqKHsxAmWJ3Q
J/tufnhP4ayykhCLf5qiTbLQUkkBakFv1pE21zXAOYvo9VhmuTYz6bt+/EEO0vxM
tdoT/wXxo8XgmEcn9cAeX9S0UvVlZ3x+mphUba7JMfrSo3NUfAf8GQyMQGwj+thf
mBd6W+8CUP1waeGM9ycdV4mAb2eYnvmYcA4hfWZtQIsWdKRQLl+s/UOO4ROw9KEi
frg+eZ6KXcoA1ws1oyO9FdRwP+dVL3Fv1SrUUybaJ/eepVUdxWBFyBx4wyb4FFKj
R+4NAvFYCk7hEucgFyW6mDTsPqRGL/xSI/GlxtGbSf7Qg4yBqHtBsmyz0EpLb6s+
Wp8MHMN6916ZtwhJzWBsLVG1gbuPGY/gx3JdvQvnh96lW2QKrqZOqEzqcPDVfxju
/ldS38RW6MOCsIE9j6J/4R+x5qqBQSMH3NZri4vxttWSxfM6s1jev1Q+YM3iELYD
RXseKIzPgV4N3ImWyBHbPr/uHm3TQlyrN7Cq9ggzis+JzT7GHT7aUvCZaFqSnNcv
EcG+HtCnjP9eyTssZefR
=fEAX
-----END PGP SIGNATURE-----
Más información sobre la lista de distribución Seguridad