Say hello to the bash bug

[Galdorf]

Say hello to the bash bug, a lesson in why Internet-connected devices are inherently unsafe.
As far i know every version of OSX has bash enabled as well as some flavors of linux they say it may be worse than heart bleed bug.
More technical info about bash bug: Bug in Bash shell creates big security hole on anything with *nix in it Could allow attackers to execute code on Linux, Unix, and Mac OS X

 

[phaZed]

Thanks for the heads up, I just checked my Kali Linux 1.3.0 box (April 2013) and it is not affected by the bug. Kernel 3.7.

 

[Galdorf]

According to a few security firms the fix did not fix the exploit it is still live if you patched.

 

[phaZed]

It's easy to test for, I passed the litmus test:

There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the system is vulnerable, the output will be:

vulnerable
this is a test
An unaffected (or patched) system will output:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

 

[frederick]

Today for us was getting all our servers security issues addressed. Rather than as we go, until sunday, its if you aren't doing anything, youre working on this.

We took two servers and are addressing the bash issue in a developmemt environment.

On better note, we got most of our servers up to an A according to SSL labs. Taking them up from a B. Mostly had to do with key length. Our new proxy server (assembled a week ago) is finally up, and performing way better, and is working with untangle like a beast. Significant improvements across the board. And should prevent any bash vulnerability from hitting the servers behind it directly

 

[Jim]

I'm seeing attempts to exploit this on multiple machines now so if you haven't updated yet - jump to it!

 

[phaZed]

I'm seeing attempts to exploit this on multiple machines now so if you haven't updated yet - jump to it!

What are you using to monitor the activity, out of curiosity?

 

[kpk1]

These may be useful:

http://shellshock.brandonpotter.com/

http://www.shellshocktest.com/

 

[frederick]

So this is what we have done to mitigate the risk...

1) Ensure all web-servers are behind proxy server (even the https stuff).
2) Ensure proxy server is up-to-date, and contains all relevant keys, certs, etc., for all websites behind proxy server.
3) Ensure unneeded ports on proxy-server and web servers are disabled.
4) ALL non-web servers, but still public, are behind proxy server and proxied correctly.
5) Ensure all ports that are unneeded are secured/disabled.
6) Fix headers in Proxy Server.

Patch complete!

 

[Jim]

What are you using to monitor the activity, out of curiosity?

I wasn't actually monitoring for that, just happened to notice some dodgy log entries on one machine while investigating an unrelated issue. I then had a quick look at other machines and saw the same on every one I checked! Lucky I had already patched them all previously.