[AusNOG] bash bug !

Nathan Gardiner ngardiner at gmail.com
Thu Sep 25 23:22:33 EST 2014


Replying to myself but I just wanted to make sure I didn't lull anyone into
a false sense of security as I hadn't actually _tried_ updating VyOS. Even
with an update there is no non-vulnerable bash package for VyOS using the
VyOS repository and since vbash is integral (it's how all the router
commands are executed) I would be concerned for those with internet-facing
VyOS deployments.

Filtering off ssh would be a very good idea if it wasn't done already....


On Thu, Sep 25, 2014 at 9:06 PM, Nathan Gardiner <ngardiner at gmail.com>
wrote:

> What's the particular concern with Debian based devices? Debian pushed
> bash 4.2+dfsg-0.1+deb7u1 for wheezy 14 hours ago and any device which uses
> the Debian repositories would pick it up with a dist-upgrade/specific
> package upgrade. Proxmox VE 3.1 hosts not only have the Debian repository
> but also have inbuilt package update functionality in the GUI which makes
> it quite easy to update.
>
> Openwrt uses ash by default and requires bash to be installed explicitly,
> VyOS 1.0.4 "vbash" shell I just tested to be vulnerable without an update:
>
> vyos at r03:~$ show version
> Version:      VyOS 1.0.4
> Description:  VyOS 1.0.4 (hydrogen)
>
> vyos at r03:~$ env x='() { :;}; echo vulnerable'  bash -c "echo this is a
> test"
> vulnerable
> this is a test
>
>
> Nathan
>
> On Thu, Sep 25, 2014 at 8:43 PM, Ben Cooper <ben at zeno.io> wrote:
>
>> isnt VYoS *nix based? Debian even?
>>
>> Also those new Ubiqiti things are Debian based as well I think.
>>
>> On Thu, Sep 25, 2014 at 10:06 PM, George Fong <george at lateralplains.com>
>> wrote:
>>
>>>  I've so far had no problems updating CENTos servers with a simple
>>> update of bash.
>>>
>>> I'm not sure how accurate this test is but the befores and afters seem
>>> to be consistent:
>>>
>>>
>>> https://community.qualys.com/blogs/securitylabs/2014/09/24/bash-remote-code-execution-vulnerability-cve-2014-6271
>>>
>>> Right now I am most worried about Linux based border routers and VM
>>> hosts such as Proxmox. The latter is Debian based.
>>>
>>> Cheers
>>> g.
>>>
>>>
>>>
>>> On Thu, 2014-09-25 at 16:32 +1000, Pinkerton, Eric (AU Sydney) wrote:
>>>
>>> Heads up, shellshock botnet payloads are already hitting honeypots..
>>>
>>>
>>>
>>> https://gist.github.com/anonymous/929d622f3b36b00c0be1
>>>
>>>
>>>
>>>
>>>
>>>  *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net] *On Behalf Of *Alex
>>> Samad - Yieldbroker
>>> *Sent:* Thursday, 25 September 2014 2:59 PM
>>> *To:* Kush, Nishchal
>>> *Cc:* ausnog at lists.ausnog.net
>>> *Subject:* Re: [AusNOG] bash bug !
>>>
>>>
>>>
>>>
>>> I believe the initial released patch was incomplete
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1146319
>>>
>>>
>>>
>>>
>>>
>>> A
>>>
>>>
>>>
>>>  *From:* Kush, Nishchal [mailto:kush at kush.com.fj <kush at kush.com.fj>]
>>> *Sent:* Thursday, 25 September 2014 3:03 PM
>>> *To:* Alex Samad - Yieldbroker
>>> *Cc:* ausnog at lists.ausnog.net
>>> *Subject:* Re: [AusNOG] bash bug !
>>>
>>>
>>>
>>>
>>> Hi
>>>
>>>
>>>
>>>
>>>  Most Linux distributions have released patches. Unfortunately you
>>> still need to recompile your own for Apple’s Mac OS X
>>>
>>>
>>>
>>>
>>>
>>>  Cheers
>>>
>>>
>>>  --
>>> Kush, Nishchal
>>> kush at kush.com.fj
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>  On 25 Sep 2014, at 2:40 pm, Alex Samad - Yieldbroker <
>>> Alex.Samad at yieldbroker.com> wrote:
>>>
>>>
>>>
>>>
>>>
>>> http://www.smh.com.au/it-pro/security-it/shell-shock-bash-bug-labelled-largest-ever-to-hit-the-internet-20140925-10ltx1.html
>>>
>>>
>>> https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>>
>>>
>>>
>>>
>>>  Please consider the environment before printing this email. This
>>> message should be regarded as confidential. If you have received this email
>>> in error please notify the sender and destroy it immediately. Statements of
>>> intent shall only become binding when confirmed in hard copy by an
>>> authorised signatory. The contents of this email may relate to dealings
>>> with other companies under the control of BAE Systems Applied Intelligence
>>> Limited, details of which can be found at
>>> http://www.baesystems.com/Businesses/index.htm.
>>>
>>> _______________________________________________
>>> AusNOG mailing listAusNOG at lists.ausnog.nethttp://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>>
>>>   --
>>>
>>>
>>>
>>> GPG Fingerprint: 8BAF 3175 A1C8 BF5F 3631 BEF4 727C 784A 218B 4CE4
>>> Just remember, wherever you go ........ there you are.
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>>
>>
>>
>> --
>> --
>> Ben Cooper
>> CEO
>> Zeno Holdings PTY LTD
>> P: +61 7 3503 8553
>> M: 0410411301
>> E: ben at zeno.io
>> W: *http://zeno.io <http://zeno.io>*
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140925/9a80d42c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: george-2014.png
Type: image/png
Size: 20375 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140925/9a80d42c/attachment-0001.png>


More information about the AusNOG mailing list