« previous next »
Pages: [1]   Go Down

Author Topic: Is my delegate vulnerable to the bash bug CVE-2014-6271  (Read 1120 times)

0 Members and 1 Guest are viewing this topic.

September 25, 2014, 12:19:02 pm Reply #2

Offline Riverhead

Re: Is my delegate vulnerable to the bash bug CVE-2014-6271
Interesting find. Ubuntu 4.04 installs with bash 4.3.11(1)-release. I wonder if this version addresses the issue.
Logged
September 25, 2014, 12:09:19 pm Reply #1

Offline jamesc

Is my delegate vulnerable to the bash bug CVE-2014-6271
"GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution."


Keep an eye on "Fixed In Version:   "
https://bugzilla.redhat.com/show_bug.cgi?id=1141597

Check `bash --version'  Is it one of these?
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
All versions up to 4.3.???

I see that CGI is effected.  My understanding is that you have to have CGI enabled and have a CGI script callable from the web to be vulnerable. Aside from using CGI, I'm concerned that my http server install, hosting provider, vm image, etc. may have put a helpful stats collection CGI script in a well known location.

Personally, I did not need CGI so I commented out the CGI in my configuration files and renamed the module on disk and finally re-started the server watching for errors.  I'm just going to wait for the official fixed version and update and verify with `bash --version`.

Just for the sake of discussion (this is not be perfect; no warranty!), what do you think? 

Code: [Select]
locate mod_cgi.so
locate mod_cgid.so
** Check your web server, there may be multiple config scripts... either grep for the load module command or rename the module.  I'm choosing to rename..

Here is an Apache example, comment out "#LoadModule cgi_module modules/mod_cgi.so" and other rules that reference it in config files like /etc/httpd/conf/httpd.conf then:
Code: [Select]
sudo su
vi /etc/httpd/conf/httpd.conf
mv /usr/lib/httpd/modules/mod_cgi.so /usr/lib/httpd/modules/_bash-bug_mod_cgi.so
tail -f /var/log/httpd/error_log&
/etc/init.d/httpd restart

Light httpd:
Code: [Select]
sudo su
vi /etc/lighttpd/lighttpd.conf
mv /usr/lib/lighttpd/mod_cgi.so /usr/lib/lighttpd/mod_cgi_bash-bug_mod_cgi.so
/etc/init.d/lighttpd restart
less /var/log/lighttpd/error.log
« Last Edit: September 25, 2014, 01:14:27 pm by jcalfee1 »
Logged
Pages: [1]   Go Up
« previous next »
 

Page created in 0.216 seconds with 26 queries.