Bash specially-crafted environment variables code injection attack

Red Hat ^ | Update 2014-09-25 16:00 UTC | Red Hat

[palmer]

Red Hat is aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169.

...

[palmer]

There are clueless news media stories focussing on the server side vulnerabilities as if anyone writes their CGI scripts in shell script (specifically bash) and inserts unsanitized user input into those scripts. That is cave man stupid programming.

However what is disturbing to me is the possibility that you walk into a coffee shop and their malicious DHCP server sends your DHPC client some extra bash commands to run. Not sure if this is really a problem or not. Any Linux or MacOS experts have a clue?

[HiTech RedNeck]

That would be a weakness in any shell, if they can insert stuff into your session.

[the_Watchman]

However what is disturbing to me is the possibility that you walk into a coffee shop and their malicious DHCP server sends your DHPC client some extra bash commands to run. Not sure if this is really a problem or not. Any Linux or MacOS experts have a clue?

I have set up and maintained DHCP servers and sending bash commands is certainly not a standard thing to do. I haven't examined the entire dhcpd.conf language, but I haven't come across anything that would do this. It's not like a pxe server which actually installs software on the requesting machine. (Nobody is going to accidentally do a pxe boot in a coffee shop. Not to worry.)

[HiTech RedNeck]

But the more things change the more they stay the same. People “COULD” code servers so as to involve shells. They probably should not, at least not without serious effort to do it in a sanitized environment.

[Swordmaker]

UNIX, LINUX, and OSX security PING. There is a vulnerability in BASH that can allow access to your computers. There is a complex fix, but even GEEKS are having difficulty implementing it. Apple will be pushing something out soon. It appears that it is a risk, although most Macs are not using such an access unless they have a printer available for net access, are hosting a website, or otherwise permitting their Mac to be open for access on the Internet. DO NOT ASSUME that your Mac is not open. Do not share your printers on the web. —PING!

Apple OSX, LINUX, UNIX SECURITY Ping!

If you want on or off the Mac Ping List, Freepmail me.

[Swordmaker]

From what I’ve been able to find out this vulnerability is in Bash and It affects BASH versions 1.13 (22 years ago) up to 4.3.

[Swordmaker]

Instructions on installing BASH 4.3.25 on an OSX Mac. This version is not vulnerable. It is possible that this version would work on LINUX and other types of Unix.

[palmer]

Then the pertinent questions are how many system functions invoke bash and how many of those use remote input (e.g. the DHCP server data in my example). I have not looked into it, but it if were writing a DHCP client I would not invoke bash with anything from the server side.

Invoking bash to do random system stuff is sort of cheap and dirty way to allow flexible system configuration. In the case of a DHCP client, I'm not sure why any such flexibility is needed. The client has to set some names and addresses and that is about it. I just glanced through the DHCP spec and see nothing about invoking a shell script or anything hinting at that. That particular avenue of attack may be speculation.

[palmer]

I just looked through the DHCP spec and saw no clues that suggested that any shell commands are sent across to the client.

[the_Watchman]

I read through the ICMP message formats at one point and I do not recall any method of sending arbitrary text strings comprising commands to be executed.

[PieterCasparzen]

Clever way to get tons of people to upgrade to the latest bash.

Who knows if there are worse vulnerabilities in it.

I never liked the idea of public wifi, that is connecting to any old bandito wifi network you happen to walk by.

Wireless (phone modem) places you on your paid providers network.