What should we do? Here it's just me and my computer to worry about for example and I have a firewall and a virus checker installed. Is that enough?
http://www.bbc.co.uk/news/technology-29361794
Bev
On Thu, 25 Sep 2014 17:42:52 +0100 Bev Nicolson lumos@gmx.co.uk wrote:
What should we do? Here it's just me and my computer to worry about for example and I have a firewall and a virus checker installed. Is that enough?
My machine had an update this morning to bash and a couple of other things.
You can test if your version of bash is affected by running the command
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you get the output
vulnerable this is a test
Then you need to update. (If you don't have a vulnerable version then you'll get some error about x not being iniatialised.) Ubuntu LTS, Fedora and Debian (along with RHEL/CentOS) have already prepared fixes. Failing that, you can grab the source online and manually replace bash.
There may be other distros that have fixes but those are the ones I know of. Also, as the BBC article says, hackers are lazy. They have a known exploit that they'll try against big targets (servers, mostly) so if you're just running a computer at home, I'd reckon you're fairly low on the list of targets :-)
Cheers
On 25 September 2014 18:11:48 GMT+01:00, Chris Walker alug_cdw@the-walker-household.co.uk wrote:
On Thu, 25 Sep 2014 17:42:52 +0100 Bev Nicolson lumos@gmx.co.uk wrote:
What should we do? Here it's just me and my computer to worry about for example and I have a firewall and a virus checker installed. Is that enough?
My machine had an update this morning to bash and a couple of other things.
Also have a look at the quite long thread on the MAN-LUG list:
https://listserv.manchester.ac.uk/cgi-bin/wa?A1=ind1409&L=MAN-LUG#6
Best wishes to all, Ted.
On 25-Sep-2014 17:20:33 Paul Lenton wrote:
You can test if your version of bash is affected by running the command
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you get the output
vulnerable this is a test
Then you need to update. (If you don't have a vulnerable version then you'll get some error about x not being iniatialised.) Ubuntu LTS, Fedora and Debian (along with RHEL/CentOS) have already prepared fixes. Failing that, you can grab the source online and manually replace bash.
There may be other distros that have fixes but those are the ones I know of. Also, as the BBC article says, hackers are lazy. They have a known exploit that they'll try against big targets (servers, mostly) so if you're just running a computer at home, I'd reckon you're fairly low on the list of targets :-)
Cheers
On 25 September 2014 18:11:48 GMT+01:00, Chris Walker alug_cdw@the-walker-household.co.uk wrote:
On Thu, 25 Sep 2014 17:42:52 +0100 Bev Nicolson lumos@gmx.co.uk wrote:
What should we do? Here it's just me and my computer to worry about for example and I have a firewall and a virus checker installed. Is that enough?
My machine had an update this morning to bash and a couple of other things.
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
main@lists.alug.org.uk http://www.alug.org.uk/ http://lists.alug.org.uk/mailman/listinfo/main Unsubscribe? See message headers or the web site above!
------------------------------------------------- E-Mail: (Ted Harding) Ted.Harding@wlandres.net Date: 25-Sep-2014 Time: 20:24:12 This message was sent by XFMail -------------------------------------------------
On Thu, Sep 25, 2014 at 06:20:33PM +0100, Paul Lenton wrote:
You can test if your version of bash is affected by running the command
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you get the output
vulnerable this is a test
My xubuntu got a bash update just now and appears to be fixed:-
chris$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
Is there an explanation of the vulnerability in bash out there somewhere? All I've seen so far is panic stricken reports about it, but no sort of explanation.
What I don't quite understand is how a hacker ever gets to the point of being able to run bash without having broken into a system already.
The top answer to this question is probably the best I've seen so far. Like you, I've only really seen alarmist media claims.
http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnera...
Cheers
On 26 September 2014 11:57:15 GMT+01:00, Chris Green cl@isbd.net wrote:
On Thu, Sep 25, 2014 at 06:20:33PM +0100, Paul Lenton wrote:
You can test if your version of bash is affected by running the
command
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you get the output
vulnerable this is a test
My xubuntu got a bash update just now and appears to be fixed:-
chris$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
Is there an explanation of the vulnerability in bash out there somewhere? All I've seen so far is panic stricken reports about it, but no sort of explanation.
What I don't quite understand is how a hacker ever gets to the point of being able to run bash without having broken into a system already.
On Fri, Sep 26, 2014 at 11:57:15AM +0100, Chris Green wrote:
Is there an explanation of the vulnerability in bash out there somewhere? All I've seen so far is panic stricken reports about it, but no sort of explanation.
You need to look harder, there's many good articles out there.
What I don't quite understand is how a hacker ever gets to the point of being able to run bash without having broken into a system already.
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
^^^ because of attack vectors like these, after checking logs (of machines on our CDN) I've seen people actively trying to exploit this a few hours after the announcement.
https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
^^^ You also have attack vectors like that where just connecting to a lan or wifi network could lead you to having an exploit performed against you.
Adam
On 26 September 2014 12:33, Adam Bower adam@thebowery.co.uk wrote:
^^^ because of attack vectors like these, after checking logs (of machines on our CDN) I've seen people actively trying to exploit this a few hours after the announcement.
I've run some automated tests on some machines of ours that should be vulnerable on the basis of the bash version alone, but none have thrown up issues. We don't generally enable cgi so I think that's the key for us. (That's not to say I'm not patching them anyway...)
To add to the joys of this, I have had to patch some old versions of Ubuntu (6.06 and 11.04 so far, 8.04 to follow). This can be fun when the servers themselves don't have build tools on them, so I've resorted to creating VMs from old distro ISOs, installing build tools, building the latest bash and copying the binaries across. I mention it in case anyone else needs the binaries (not that you should be trusting me unless you know me, of-course, and they come with zero warranty!) Of-course I shouldn't have any boxes with unsupported versions on them, but the real world isn't always as clean as it should be.. I have x86 binaries only, but can tell you how I created them for anyone stuck on different versions/architectures.
On Fri, Sep 26, 2014 at 03:02:57PM +0100, Mark Rogers wrote:
I've run some automated tests on some machines of ours that should be vulnerable on the basis of the bash version alone, but none have thrown up issues. We don't generally enable cgi so I think that's the key for us. (That's not to say I'm not patching them anyway...)
We found a few possible attack vectors while we were patching but they were quite obscure and would always need certain types of authenticated users, but of course if someone could get around that then it may be a problem.
On the basis that it had to be done we upgraded everything today including the 300 machines we did yesterday to get the latest patch. Total count was over 400 machines with a few stragglers left in non-public networks that if people got to them then we already have a bigger problem. They'll all get done next week.
One thing I would suggest is that if you're using Debian you look at installing unattended-upgrades as around half of our Debian stock had this already and many machines which didn't yesterday but I installed it on yesterday were updated by the time I got to the office.
Adam
On 26 September 2014 19:07, Adam Bower adam@thebowery.co.uk wrote:
One thing I would suggest is that if you're using Debian you look at installing unattended-upgrades as around half of our Debian stock had this already and many machines which didn't yesterday but I installed it on yesterday were updated by the time I got to the office.
Do unattended upgrades ever cause any problems?
I did experiment with them on Ubuntu some years back but since then have tended to do it myself, but I'm not really sure why.
Incidentally I now have x86 bash binaries for Ubuntu 6.06, 8.04 and 11.04 if anyone needs them.
On Sat, Sep 27, 2014 at 05:12:03PM +0100, Mark Rogers wrote:
Do unattended upgrades ever cause any problems?
Only when people manually install things in the same location as the system binaries or hack bits of the system that then get upgraded when the package is updated. Then things break, I see this a good thing as it encourages people to not do stupid things :)
Adam
On 27 September 2014 18:09, Adam Bower adam@thebowery.co.uk wrote:
Only when people manually install things in the same location as the system binaries or hack bits of the system that then get upgraded when the package is updated. Then things break, I see this a good thing as it encourages people to not do stupid things :)
OK, you've convinced me! I'll start rolling it out.
On 28 September 2014 12:07, Mark Rogers mark@quarella.co.uk wrote:
OK, you've convinced me! I'll start rolling it out.
Out of curiosity, do you limit it to security updates or do you let it go beyond that?
On Sun, Sep 28, 2014 at 12:21:03PM +0100, Mark Rogers wrote:
On 28 September 2014 12:07, Mark Rogers mark@quarella.co.uk wrote:
OK, you've convinced me! I'll start rolling it out.
Out of curiosity, do you limit it to security updates or do you let it go beyond that?
Security updates only. Other stuff should be managed. I did have some fallout over the weekend where someone had configured a machine without unattended-upgrades but there was a symlink in /usr that pointed to some config in /etc. What happened was someone changed the link destination so that when the package was upgrade it put the original link back but in a way this is a good thing as it stops people making stupid hacks like that!
Adam
On 25/09/14 17:42, Bev Nicolson wrote:
What should we do? Here it's just me and my computer to worry about for example and I have a firewall and a virus checker installed. Is that enough?
More than I've got...
There will be a fix, never fear.
On 26/09/14 12:59, Anthony Anson wrote:
On 25/09/14 17:42, Bev Nicolson wrote:
What should we do? Here it's just me and my computer to worry about for example and I have a firewall and a virus checker installed. Is that enough?
More than I've got...
There will be a fix, never fear.
Paul's* diagnostic has proved useful though so I'm happpier now I have a updated system whilst being entirely confident that the Linux community will do just that.
Bev.
*I'm crediting Paul whether it came from him or not!
-
Adam Bower -
Anthony Anson -
Bev Nicolson -
Chris Green -
Chris Walker -
Mark Rogers -
Paul Lenton -
Ted.Harding@wlandres.net