[LACNIC/Seguridad] Fwd: TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)

Paul F. Bernal B., Ing. paul.bernal en cedia.org.ec
Vie Sep 26 16:18:01 BRT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Estimad en s,

La mayoría de distros mayores ofrecieron hasta ayer actualizaciones al
CVE-2014-6271, que contenían ya el parche para dicha vulnerabilidad.
Enseguida se reportó que este parche era insuficiente, abriéndose
antier el CVE-2014-7169.

Ayer, RH publicó su update con 3 parches relativos al caso:
bash-4.2-cve-2014-7169-0.patch
bash-4.2-cve-2014-7169-1.patch
bash-4.2-cve-2014-7169-2.patch

Hoy CentOS puso su actualización a eso de las 02h y pico. Presumo el
resto de distros mayores como Debian debieron hacer lo mismo.

Importante! es probable que la actualización que implementaron
ayer/hoy no sea suficiente, es necesario mandar a actualizar los
sistemas nuevamente (aún si pasa la prueba sobre la que se discute de
las comillas):

En el caso de CentOS o RHEL debe ejecutarse:
# yum update bash (o podría usarse yum update para actualizar todos los
paquetes que requieran ser actualizados).

En el caso de ubuntu y debian podría utilizarse:
#apt-get update; apt-get upgrade


On 26/09/14 11:43, Herman Mereles wrote:
> Estimados,
> 
> Eso es solo a efectos de verificar que un sistema es vulnerable. Es
> importante aclarar que ahora estamos detectando una "barrida" 
> buscando sitios vulnerables y, en algunos casos, ya detectamos la 
> expansión de una bot aprovechando la vulnerabilidad.
> 
> Saludos --- El 26/09/14 09:31, Oswaldo Aguirre escribió:
>> ciertamente, pero me imagino que, al no haber ninguna variable o
>> patron que pueda ser instanciado, no hace mucha diferencia, yo
>> usaria simples, en eso concuerdo.
>> 
>> en una de las referencias 
>> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
>>
>> 
usan las simples
>> 
>> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>> 
>> saludos
>> 
>> 
>> On Fri, Sep 26, 2014 at 5:33 AM, Jose Luis Gaspoz
>> <gaspozj en is.com.ar <mailto:gaspozj en is.com.ar>> wrote:
>> 
>> Hernán:
>> 
>> ¿no están mal el tipo de comillas en la primera parte del codigo 
>> del seteo de la variable? .... deberian ser comillas simples y
>> no dobles.
>> 
>> Saludos
>> 
>> Ing. Jose Luis Gaspoz Internet Services S.A. Tel: 0342-4565118 
>> Cel: 342-5008523
>> 
>> *From:* Herman Mereles <mailto:hmereles en senatics.gov.py> *Sent:*
>> Thursday, September 25, 2014 5:32 PM *To:* Lista para discusion
>> de seguridad en redes y sistemas informaticos de la region
>> <mailto:seguridad en lacnic.net> *Subject:* Re: [LACNIC/Seguridad]
>> Fwd: TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’
>> Vulnerability (CVE-2014-6271,CVE-2014-7169)
>> 
>> Raúl, compañeros,
>> 
>> Este es un boletín que nosotros hemos redactado,
>> 
>> Saludos --- El 25/09/14 a las 16:19, Raul Cabrera escibió:
>>> 
>>> Del Blog Schneier on Security:
>>> 
>>> 
>>> 
>>> *“Nasty Vulnerability found in Bash” 
>>> (*https://www.schneier.com/blog/archives/2014/09/nasty_vulnerabi.html*)*
>>>
>>>
>>> 
>>> 
>>> Saludos cordiales.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> RAUL EDUARDO CABRERA
>>> 
>>> 
>>> 
>>> 
>>> 
>>> *De:*Seguridad [mailto:seguridad-bounces en lacnic.net] *En
>>> nombre de *Fernando Gont *Enviado el:* jueves, 25 de septiembre
>>> de 2014 04:51 p.m. *Para:* Lista para discusión de seguridad en
>>> redes y sistemas informaticos de la región *Asunto:*
>>> [LACNIC/Seguridad] Fwd: TA14-268A: GNU Bourne Again Shell
>>> (Bash) ‘Shellshock’ Vulnerability
>>> (CVE-2014-6271,CVE-2014-7169)
>>> 
>>> 
>>> 
>>> FYI
>>> 
>>> 
>>> 
>>> -------- Forwarded Message --------
>>> 
>>> *Subject: *
>>> 
>>> 
>>> 
>>> TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ 
>>> Vulnerability (CVE-2014-6271,CVE-2014-7169)
>>> 
>>> *Date: *
>>> 
>>> 
>>> 
>>> Thu, 25 Sep 2014 14:10:57 -0500
>>> 
>>> *From: *
>>> 
>>> 
>>> 
>>> US-CERT mailto:US-CERT en ncas.us-cert.gov
>>> 
>>> *Reply-To: *
>>> 
>>> 
>>> 
>>> US-CERT en ncas.us-cert.gov <mailto:US-CERT en ncas.us-cert.gov>
>>> 
>>> *To: *
>>> 
>>> 
>>> 
>>> fernando en gont.com.ar <mailto:fernando en gont.com.ar>
>>> 
>>> 
>>> 
>>> NCCIC / US-CERT
>>> 
>>> National Cyber Awareness System:
>>> 
>>> *TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ 
>>> Vulnerability (CVE-2014-6271,CVE-2014-7169) 
>>> <https://www.us-cert.gov/ncas/alerts/TA14-268A>*
>>> 
>>> /09/25/2014 12:56 PM EDT/
>>> 
>>> 
>>> 
>>> Original release date: September 25, 2014
>>> 
>>> 
>>> Systems Affected
>>> 
>>> * GNU Bash through 4.3. * Linux, BSD, and UNIX distributions
>>> including but not limited to:
>>> 
>>> o CentOS 
>>> <http://lists.centos.org/pipermail/centos/2014-September/146099.html>
>>>
>>> 
5 through 7
>>> o Debian 
>>> <https://lists.debian.org/debian-security-announce/2014/msg00220.html>
>>>
>>>
>>> 
o Mac OS X
>>> o Red Hat Enterprise Linux 4 through 7 o Ubuntu
>>> <http://www.ubuntu.com/usn/usn-2362-1/> 10.04 LTS, 12.04 LTS,
>>> and 14.04 LTS
>>> 
>>> 
>>> Overview
>>> 
>>> A critical vulnerability has been reported in the GNU Bourne 
>>> Again Shell (Bash), the common command-line shell used in most 
>>> Linux/UNIX operating systems and Apple’s Mac OS X. The flaw
>>> could allow an attacker to remotely execute shell commands by
>>> attaching malicious code in environment variables used by the
>>> operating system [1] 
>>> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>.
>>>
>>> 
The United States Department of Homeland Security (DHS) is
>>> releasing this Technical Alert to provide further information 
>>> about the GNU Bash vulnerability.
>>> 
>>> 
>>> Description
>>> 
>>> GNU Bash versions 1.14 through 4.3 contain a flaw that
>>> processes commands placed after function definitions in the
>>> added environment variable, allowing remote attackers to
>>> execute arbitrary code via a crafted environment which enables 
>>> network-based exploitation. [2 
>>> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>,
>>>
>>> 
3 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>]
>>> 
>>> Critical instances where the vulnerability may be exposed 
>>> include: [4 
>>> <https://access.redhat.com/security/cve/CVE-2014-6271>, 5 
>>> <http://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>]
>>>
>>>
>>> 
* Apache HTTP Server using mod_cgi or mod_cgid scripts either
>>> written in bash, or spawn subshells. * Override or Bypass
>>> ForceCommand feature in OpenSSH sshd and limited protection for
>>> some Git and Subversion deployments used to restrict shells and
>>> allows arbitrary command execution capabilities. * Allow
>>> arbitrary commands to run on a DHCP client machine, various
>>> Daemons and SUID/privileged programs. * Exploit servers and
>>> other Unix and Linux devices via Web requests, secure shell,
>>> telnet sessions, or other programs that use Bash to execute
>>> scripts.
>>> 
>>> 
>>> Impact
>>> 
>>> This vulnerability is classified by industry standards as
>>> “High” impact with CVSS Impact Subscore 10 and “Low” on
>>> complexity, which means it takes little skill to perform. This
>>> flaw allows attackers to provide specially crafted environment
>>> variables containing arbitrary commands that can be executed on
>>> vulnerable systems. It is especially dangerous because of the
>>> prevalent use of the Bash shell and its ability to be called by
>>> an application in numerous ways.
>>> 
>>> 
>>> Solution
>>> 
>>> Patches have been released to fix this vulnerability by major 
>>> Linux vendors for affected versions. Solutions for
>>> CVE-2014-6271 do not completely resolve the vulnerability. It
>>> is advised to install existing patches and pay attention for
>>> updated patches to address CVE-2014-7169.
>>> 
>>> Many UNIX-like operating systems, including Linux
>>> distributions, BSD variants, and Apple Mac OS X include Bash
>>> and are likely to be affected. Contact your vendor for updated
>>> information. A list of vendors can be found in CERT
>>> Vulnerability Note VU#252743 
>>> <http://www.kb.cert.org/vuls/id/252743> [6] 
>>> <http://www.kb.cert.org/vuls/id/252743>.
>>> 
>>> US-CERT recommends system administrators review the vendor 
>>> patches and the NIST Vulnerability Summary for CVE-2014-7169 
>>> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>,
>>>
>>> 
to mitigate damage caused by the exploit.
>>> 
>>> 
>>> References
>>> 
>>> * Ars Technica, Bug in Bash shell creates big security hole on 
>>> anything with *nix in it; 
>>> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
>>>
>>>
>>> 
* DHS NCSD; Vulnerability Summary for CVE-2014-6271
>>> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>
>>>
>>> 
* DHS NCSD; Vulnerability Summary for CVE-2014-7169
>>> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>
>>>
>>> 
* Red Hat, CVE-2014-6271
>>> <https://access.redhat.com/security/cve/CVE-2014-6271> * Red
>>> Hat, Bash specially-crafted environment variables code 
>>> injection attack 
>>> <https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>
>>>
>>>
>>> 
* CERT Vulnerability Note VU#252743
>>> <http://www.kb.cert.org/vuls/id/252743>
>>> 
>>> 
>>> Revision History
>>> 
>>> * September 25, 2014 - Initial Release
>>> 
>>> ------------------------------------------------------------------------
>>>
>>>
>>> 
This product is provided subject to this Notification
>>> <http://www.us-cert.gov/privacy/notification> and this Privacy
>>> & Use <http://www.us-cert.gov/privacy/> policy.
>>> 
>>> ------------------------------------------------------------------------
>>>
>>>
>>> 
OTHER RESOURCES:
>>> 
>>> Contact Us <http://www.us-cert.gov/contact-us/> | Security 
>>> Publications <http://www.us-cert.gov/security-publications> | 
>>> Alerts and Tips <http://www.us-cert.gov/ncas> | Related
>>> Resources <http://www.us-cert.gov/related-resources>
>>> 
>>> 
>>> 
>>> STAY CONNECTED:
>>> 
>>> Sign up for email updates 
>>> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>
>>>
>>>
>>>      
>>> 
>>> SUBSCRIBER SERVICES: Manage Preferences 
>>> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true>
>>>  |  Unsubscribe 
>>> <https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.3401fc02ac14ed36b08029852a939882&destination=fernando@gont.com.ar>
>>>  |  Help <https://subscriberhelp.govdelivery.com/>
>>> 
>>> ------------------------------------------------------------------------
>>>
>>>
>>> 
This email was sent to fernando en gont.com.ar
>>> <mailto:fernando en gont.com.ar> using GovDelivery, on behalf of: 
>>> United States Computer Emergency Readiness Team (US-CERT) ·
>>> 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703)
>>> 235-5110 <tel:%28703%29%20235-5110>
>>> 
>>> 
>>> 
>>> Powered by GovDelivery 
>>> <http://www.govdelivery.com/portals/powered-by>
>>> 
>>> 
>>> 
>>> -- Fernando Gont e-mail: fernando en gont.com.ar
>>> <mailto:fernando en gont.com.ar> || fgont en si6networks.com
>>> <mailto:fgont en si6networks.com> PGP Fingerprint: 7809 84F5 322E
>>> 45C7 F1C9 3945 96EE A9EF D076 FFF1
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> ------------------------------------------------------------------------
>>>
>>>
>>> 
La información contenida en esta comunicación se dirige
>>> exclusivamente para el uso de la persona o entidad a quien va 
>>> dirigida y otros autorizados para recibirlo. Puede contener 
>>> información confidencial o legalmente protegida. Si usted no
>>> es el destinatario indicado, queda notificado de que cualquier 
>>> revelación, copia, distribución o tomar cualquier acción
>>> basada en el contenido de esta información está estrictamente
>>> prohibida y puede ser ilegal. Si usted ha recibido esta
>>> comunicación por error, le rogamos nos lo notifique
>>> inmediatamente respondiendo a este correo y elimine de su
>>> sistema. SADAIC no es responsable de la transmisión correcta y
>>> completa de la información contenida en esta comunicación, ni
>>> por cualquier retraso en su recepción.
>>> 
>>> The information contained in this communication is intended 
>>> solely for the use of the individual or entity to whom it is 
>>> addressed and others authorized to receive it. It may contain 
>>> confidential or legally privileged information. If you are not 
>>> the intended recipient you are hereby notified that any 
>>> disclosure, copying, distribution or taking any action in 
>>> reliance on the contents of this information is strictly 
>>> prohibited and may be unlawful. If you have received this 
>>> communication in error, please notify us immediately by 
>>> responding to this email and then delete it from your system. 
>>> SADAIC is neither liable for the proper and complete
>>> transmission of the information contained in this communication
>>> nor for any delay in its receipt.
>>> 
>>> 
>>> 
>>> _______________________________________________ Seguridad
>>> mailing list Seguridad en lacnic.net
>>> <mailto:Seguridad en lacnic.net> 
>>> https://mail.lacnic.net/mailman/listinfo/seguridad
>> 
>> ------------------------------------------------------------------------
>>
>> 
_______________________________________________
>> Seguridad mailing list Seguridad en lacnic.net
>> <mailto:Seguridad en lacnic.net> 
>> https://mail.lacnic.net/mailman/listinfo/seguridad
>> 
>> _______________________________________________ Seguridad mailing
>> list Seguridad en lacnic.net <mailto:Seguridad en lacnic.net> 
>> https://mail.lacnic.net/mailman/listinfo/seguridad
>> 
>> 
>> 
>> 
>> -- 
>> -----------------------------------------------------------------------------------------------------------------
>>
>> 
Campaña contra el correo SPAM
>> - Solo envia el contenido importante - Protege y respeta la
>> privacidad de tus amigos. - Si reenvias este correo, borra las
>> direcciones anteriores - Si lo reenvias a varias personas usa la
>> casilla CCO . - Si todos hacemos lo mismo, tambien tu estaras
>> protegid en . 
>> -----------------------------------------------------------------------------------------------------------------
>>
>> 
- - Send only the important text
>> - Protect and respect your friends' privacy - Delete previous
>> addresses from message body - Use the BCC field when sending to
>> several recipients - If we all follow these guidelines, we'll all
>> be protected.
>> 
>> 
>> _______________________________________________ Seguridad mailing
>> list Seguridad en lacnic.net 
>> https://mail.lacnic.net/mailman/listinfo/seguridad
> 
> 
> -- Herman Mereles, Director Equipo de Respuesta ante Emergencias
> Cibernéticas (CERT-PY) Secretaría Nacional de Tecnologías de la
> Información y Comunicación SENATICs Complejo Santos E2 - Gral.
> Santos 1170 c/ Concordia cert en cert.gov.py | +595 21 201014 | +595
> 21 3276902 Asunción - Paraguay | www.cert.gov.py
> 
> 
> 
> Email secured by Check Point
> 
> 
> 
> _______________________________________________ Seguridad mailing
> list Seguridad en lacnic.net 
> https://mail.lacnic.net/mailman/listinfo/seguridad
> 

- -- 
Salu2
Paul F. Bernal B., Ing.
CSIRT-CEDIA
Telf: +593 9 8466 9053 (M)
GPG key: CD2AD375
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUJbvpAAoJEIoQbXHNKtN1yysP/2bdr1w6ktjZSBFNxjBF1MLz
nDr4ZilcQHmGMq3k4OPlzIInmpulb6cA1LJSl8klTPOy5Ds62zn4WeO20+Q49MfX
BR6SSneXF/eqrc/9eBBtGMm0e21aRr3uJRFCRz2xNUhm2tfUVrI3EqKHsxAmWJ3Q
J/tufnhP4ayykhCLf5qiTbLQUkkBakFv1pE21zXAOYvo9VhmuTYz6bt+/EEO0vxM
tdoT/wXxo8XgmEcn9cAeX9S0UvVlZ3x+mphUba7JMfrSo3NUfAf8GQyMQGwj+thf
mBd6W+8CUP1waeGM9ycdV4mAb2eYnvmYcA4hfWZtQIsWdKRQLl+s/UOO4ROw9KEi
frg+eZ6KXcoA1ws1oyO9FdRwP+dVL3Fv1SrUUybaJ/eepVUdxWBFyBx4wyb4FFKj
R+4NAvFYCk7hEucgFyW6mDTsPqRGL/xSI/GlxtGbSf7Qg4yBqHtBsmyz0EpLb6s+
Wp8MHMN6916ZtwhJzWBsLVG1gbuPGY/gx3JdvQvnh96lW2QKrqZOqEzqcPDVfxju
/ldS38RW6MOCsIE9j6J/4R+x5qqBQSMH3NZri4vxttWSxfM6s1jev1Q+YM3iELYD
RXseKIzPgV4N3ImWyBHbPr/uHm3TQlyrN7Cq9ggzis+JzT7GHT7aUvCZaFqSnNcv
EcG+HtCnjP9eyTssZefR
=fEAX
-----END PGP SIGNATURE-----



Más información sobre la lista de distribución Seguridad