CVE-2014-6271 BASH Vulnerability

Started by Toruk Makto, September 25, 2014, 04:13:16 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Toruk Makto

There is a new exploited vulnerability of the bash unix shell. You can go read more about it at
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

Note that the LN server has been patched.

Irayo!

-M.

Lì'fyari leNa'vi 'Rrtamì, vay set 'almong a fra'u zera'u ta ngrrpongu
Na'vi Dictionary: http://files.learnnavi.org/dicts/NaviDictionary.pdf

Wllìm

+1 Irayo! It is great to see such a fast response... :D

For my home computer, I'm still waiting for a bash update from my distro... :-X

Vawmataw

Fmawn Ta 'Rrta - News IN NA'VI ONLY (Discord)
Traducteur francophone de Kelutral.org, dict-navi et Reykunyu

Tirea Aean

#3
through/including Bash 4.3.. hmmm

I'm running:


*Mac:GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Arch Linux on Chromebook:GNU bash, version 4.3.24(1)-release (armv7l-unknown-linux-gnueabinhf)
Chrome OS:GNU bash, version 4.2.45(1)-release (armv7a-cros-linux-gnueabi)
Ubuntu Server [vm]:GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)
Ubuntu Desktop [vm]:GNU bash, version 4.1.5(1)-release (x86_64-pc-liunx-gnu)
RHEL 7 (UMBC):GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu)
*Fedora Server:GNU bash, version 4.2.37(1)-release (i686-redhat-linux-gnu)
(but the default shell at UMBC is actually tcsh)

Looks like the starred things I'm running are the only still currently vulnerable.

You can check if you're vulnerable by running this command in a bash terminal:

env x='(){ :; }; echo vulnerable' bash -c 'echo hello'

If you get:

vulnerable
hello


then you're vulnerable by this hack.

Tìtstewan

Irayo! :D

Ma Tirea, eltur tìtxen si! I should take a look at my Kubuntu in my VM...

-| Na'vi Vocab + Audio | Na'viteri as one HTML file | FAQ | Useful Links for Beginners |-
-| Kem si fu kem rä'ä si, ke lu tìfmi. |-

Vawmataw

You can check, but Fwa lu kxuke ke fkeytok.
Fmawn Ta 'Rrta - News IN NA'VI ONLY (Discord)
Traducteur francophone de Kelutral.org, dict-navi et Reykunyu

Tirea Aean

Absolute guarantee of safety or impossibility of any hack indeed doesn't exist, which is basically the obvious fact of using computer technology.

But. With each patch, you are that much less vulnerable than you were before. Which is at least some form of improvement.

Tìtstewan

Does Android has this too? (as it based on Linux?)

-| Na'vi Vocab + Audio | Na'viteri as one HTML file | FAQ | Useful Links for Beginners |-
-| Kem si fu kem rä'ä si, ke lu tìfmi. |-

Tirea Aean

#8
Quote from: Tìtstewan on September 25, 2014, 05:34:29 PM
Does Android has this too? (as it based on Linux?)

I just tried on my Nexus 5 from adb to find bash.

Turns out Android doesn't even have bash installed. It just has /system/bin/sh
So looks like Android is not affected.

EDIT: and at that, it's a VERY limited version of mksh made for Android. Which makes sense. Yes, Android runs on the Linux kernel, but the user doesn't need access to a full system shell.

Blue Elf

Quote from: Tirea Aean on September 25, 2014, 05:31:41 PM
Absolute guarantee of safety or impossibility of any hack indeed doesn't exist, which is basically the obvious fact of using computer technology.
It exists. If your computer is not networked and you do not use any removable media, not many people can hack it. :)
But I'm not sure if such PC exists.
Certification authorities are near to this state (no network), but they still need to use removable medias - as certificate requests must be somehow delivered  to the authority.
Oe lu skxawng skxakep. Slä oe nerume mi.
"Oe tasyätxaw ulte koren za'u oehu" (Limonádový Joe)


Tirea Aean

Who in this day in age actually uses such a configuration? That's not just realistic. So that aside, I guess what I said still stands. The best we can do, without kidding ourselves, is make systems that are very very difficult to crack, but surely there will be some wiseguy who cracks it eventually. How many pieces of software are written once and are SO good that they never change version? I think none that are serious pieces of software.

`Eylan Ayfalulukanä

We had a system here for many years that ran VMS, simply because it was 1.) close to hackproof and 2.) few, if anybody used it at that time. This computer was also completely standalone, even though it would connect with the thinnet system we then had. This security was necessary because this system, if misused, could unlock or lock many of the consumer TV set-top boxes in use at the time, anywhere in the country.

Yawey ngahu!
pamrel si ro [email protected]