Re: Bash specially-crafted environment variables code injection attack
Sorry for top posting. The initial fix, does cover the main vulnerability and there will be additional fixes coming soon. If you are running a version outside of the current supported versions and you do NOT have LTSS, there is a mechanism to provide patches outside of the normal subscription contract. You would need to contact your account rep for details on getting these patches through a special process. We have done so, in the interest of security first. Thanks, Peter Peter Linnell SUSECon 2014 Register at suse.com/susecon Follow us at twitter.com/susecon14 >>> Ted Rodriguez-Bell 9/26/2014 12:56 PM >>> This is a bit off-topic, but you can see in the package dates that an embargo was done. The SLES package was signed on Friday, 19 Feb at 6:20 PDT; the corresponding Fedora packages were signed on Wednesday the 24th. Both announcements arrived in the wee hours (US Pacific time) on Thursday morning. Fedora and Red Hat, by the way, have issued a fix for CVE-2014-7169; I'm expecting Suse's any hour now. Just as far afield but in a different direction, the 11SP2 LTSS and 10SP4 LTSS updates were mentioned in the same message as the SP3 ones. This was a clue that the "critical" rating on this means "really, really critical"; usually LTSS updates come days or weeks later. Ted Rodriguez-Bell Wells Fargo Company policy requires: This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: Mark Post [mailto:mp...@suse.com] Sent: Wednesday, September 24, 2014 11:35 PM Subject: Re: Bash specially-crafted environment variables code injection attack >>> On 9/24/2014 at 10:00 PM, Mauro Souza wrote: > The fix for SuSE must be in production right now. > > Maybe we can install the RedHat version on SuSE until the official fix? No. Don't even think about trying that. The result will likely be uglier than the vulnerability. And, as Marcy noted, the fix from SUSE was released today, just as everyone else has done. The way things like this work is that (assuming a discreet vulnerability report was made initially), the various Linux vendors "embargo" any public mention of the bug or fixes for it. Then, when the appropriate date arrives to end the embargo, public announcements are made, concurrent with publication of the fix. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Bash specially-crafted environment variables code injection attack
This is a bit off-topic, but you can see in the package dates that an embargo was done. The SLES package was signed on Friday, 19 Feb at 6:20 PDT; the corresponding Fedora packages were signed on Wednesday the 24th. Both announcements arrived in the wee hours (US Pacific time) on Thursday morning. Fedora and Red Hat, by the way, have issued a fix for CVE-2014-7169; I'm expecting Suse's any hour now. Just as far afield but in a different direction, the 11SP2 LTSS and 10SP4 LTSS updates were mentioned in the same message as the SP3 ones. This was a clue that the "critical" rating on this means "really, really critical"; usually LTSS updates come days or weeks later. Ted Rodriguez-Bell Wells Fargo Company policy requires: This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: Mark Post [mailto:mp...@suse.com] Sent: Wednesday, September 24, 2014 11:35 PM Subject: Re: Bash specially-crafted environment variables code injection attack >>> On 9/24/2014 at 10:00 PM, Mauro Souza wrote: > The fix for SuSE must be in production right now. > > Maybe we can install the RedHat version on SuSE until the official fix? No. Don't even think about trying that. The result will likely be uglier than the vulnerability. And, as Marcy noted, the fix from SUSE was released today, just as everyone else has done. The way things like this work is that (assuming a discreet vulnerability report was made initially), the various Linux vendors "embargo" any public mention of the bug or fixes for it. Then, when the appropriate date arrives to end the embargo, public announcements are made, concurrent with publication of the fix. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Bash specially-crafted environment variables code injection attack
Thanks Marcy and Mike! Gerard Howells zLinux and z/VM Systems Administrator Enterprise Systems America First Credit Union TEL: 801-827-8353 ghowe...@americafirst.com -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Michael O'Reilly Sent: Thursday, September 25, 2014 11:28 To: LINUX-390@VM.MARIST.EDU Subject: Re: Bash specially-crafted environment variables code injection attack Gerard, CVE-2014-0475 Common Vulnerabilities and Exposures http://support.novell.com/security/cve/CVE-2014-0475.html Mike O'Reilly IBM Linux Change Team Gerard Howells To Sent by: Linux on LINUX-390@VM.MARIST.EDU 390 Port cc Subject Re: Bash specially-crafted environment variables code 09/25/2014 10:16 injection attack AM Please respond to Linux on 390 Port Thanks for the pointer to the SLES 11 fix. Does anyone know if there's a similar patch for SLES 10 SP4? Gerard Howells zLinux and z/VM Systems Administrator Enterprise Systems America First Credit Union TEL: 801-827-8353 ghowe...@americafirst.com -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Marcy Cortes Sent: Wednesday, September 24, 2014 21:38 To: LINUX-390@VM.MARIST.EDU Subject: Re: Bash specially-crafted environment variables code injection attack SUSE one has been out there for at least 5 hours https://download.suse.com/Download?buildid=e7IoZr2HcLE~ -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Mauro Souza Sent: Wednesday, September 24, 2014 7:01 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: [LINUX-390] Bash specially-crafted environment variables code injection attack I have downloaded a fix for Linux Mint, and installed the same file on Ubuntu. The fix for SuSE must be in production right now. Maybe we can install the RedHat version on SuSE until the official fix? -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Bash specially-crafted environment variables code injection attack
> On Sep 25, 2014, at 10:44 AM, Veencamp, Jonathon D. > wrote: > > Just a word of warning that Red Hat considers their current patch potentially > incomplete. It solves the test that everyone is using to test vulnerability, > but isn't necessarily comprehensive. So there may be more than one round of > patches on this, perhaps from all vendors > > https://bugzilla.redhat.com/show_bug.cgi?id=1141597 > > Statement: > Red Hat has become aware that the patches shipped for this issue are > incomplete. An attacker can provide specially-crafted environment variables > containing arbitrary commands that will be executed on vulnerable systems > under certain conditions. The new issue has been assigned CVE-2014-7169. Here is a new CVE at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 CVE-2014-7169 Summary: GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. Published: 9/24/2014 9:55:04 PM CVSS Severity: 10.0 HIGH The difference is "NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271." I didn't mean to imply in my note that other distributers weren't also working on fixes. We are a Red Hat customer, so that is all the notices we have received. The previous CVE only referenced Red Hat links. I'm not surprised the Mac OS X is late -- they always are. Has anyone heard of any exploits? -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Bash specially-crafted environment variables code injection attack
Just a word of warning that Red Hat considers their current patch potentially incomplete. It solves the test that everyone is using to test vulnerability, but isn't necessarily comprehensive. So there may be more than one round of patches on this, perhaps from all vendors https://bugzilla.redhat.com/show_bug.cgi?id=1141597 Statement: Red Hat has become aware that the patches shipped for this issue are incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. Jon The information contained in this e-mail message is intended only for the personal and confidential use of the designated recipient(s) named above. This message may be an attorney-client or work product communication which is privileged and confidential. It may also contain protected health information that is protected by federal law. If you have received this communication in error, please notify us immediately by telephone and destroy (shred) the original message and all attachments. Any review, dissemination, distribution or copying of this message by any person other than the intended recipient(s) or their authorized agents is strictly prohibited. Thank you.
Re: Bash specially-crafted environment variables code injection attack
>>> On 9/25/2014 at 01:16 PM, Gerard Howells wrote: > Thanks for the pointer to the SLES 11 fix. Does anyone know if there's a > similar patch for SLES 10 SP4? As Marcy noted, only for customers that are paying for LTSS. Perhaps this vulnerability might help people make the case to their own customers that staying current is a lot better in the long run, and less expensive as well. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Bash specially-crafted environment variables code injection attack
Just a word of warning to everyone, that Red Hat considers their current patch potentially incomplete. It solves the test that everyone is using to test vulnerability, but isn't necessarily comprehensive. So there may be more than one round of patches on this, perhaps from all vendors https://bugzilla.redhat.com/show_bug.cgi?id=1141597 Statement: Red Hat has become aware that the patches shipped for this issue are incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. Jon The information contained in this e-mail message is intended only for the personal and confidential use of the designated recipient(s) named above. This message may be an attorney-client or work product communication which is privileged and confidential. It may also contain protected health information that is protected by federal law. If you have received this communication in error, please notify us immediately by telephone and destroy (shred) the original message and all attachments. Any review, dissemination, distribution or copying of this message by any person other than the intended recipient(s) or their authorized agents is strictly prohibited. Thank you.
Re: Bash specially-crafted environment variables code injection attack
Gerard, CVE-2014-0475 Common Vulnerabilities and Exposures http://support.novell.com/security/cve/CVE-2014-0475.html Mike O'Reilly IBM Linux Change Team Gerard Howells To Sent by: Linux on LINUX-390@VM.MARIST.EDU 390 Port cc Subject Re: Bash specially-crafted environment variables code 09/25/2014 10:16 injection attack AM Please respond to Linux on 390 Port Thanks for the pointer to the SLES 11 fix. Does anyone know if there's a similar patch for SLES 10 SP4? Gerard Howells zLinux and z/VM Systems Administrator Enterprise Systems America First Credit Union TEL: 801-827-8353 ghowe...@americafirst.com -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Marcy Cortes Sent: Wednesday, September 24, 2014 21:38 To: LINUX-390@VM.MARIST.EDU Subject: Re: Bash specially-crafted environment variables code injection attack SUSE one has been out there for at least 5 hours https://download.suse.com/Download?buildid=e7IoZr2HcLE~ -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Mauro Souza Sent: Wednesday, September 24, 2014 7:01 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: [LINUX-390] Bash specially-crafted environment variables code injection attack I have downloaded a fix for Linux Mint, and installed the same file on Ubuntu. The fix for SuSE must be in production right now. Maybe we can install the RedHat version on SuSE until the official fix? -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Bash specially-crafted environment variables code injection attack
You'd have to have LTSS for that since it is out of support. I was told it is available for all of these SUSE Linux Enterprise Desktop 11 SP3 SUSE Linux Enterprise Server 10 SP3 LTSS for AMD64 and Intel EM64T SUSE Linux Enterprise Server 10 SP3 LTSS for IBM zSeries 64bit SUSE Linux Enterprise Server 10 SP3 LTSS for x86 SUSE Linux Enterprise Server 10 SP4 LTSS for AMD64 and Intel EM64T SUSE Linux Enterprise Server 10 SP4 LTSS for IBM zSeries 64bit SUSE Linux Enterprise Server 10 SP4 LTSS for x86 SUSE Linux Enterprise Server 11 SP1 LTSS SUSE Linux Enterprise Server 11 SP2 LTSS SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Software Development Kit 11 SP3 Marcy -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Gerard Howells Sent: Thursday, September 25, 2014 10:16 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: [LINUX-390] Bash specially-crafted environment variables code injection attack Thanks for the pointer to the SLES 11 fix. Does anyone know if there's a similar patch for SLES 10 SP4? Gerard Howells zLinux and z/VM Systems Administrator Enterprise Systems America First Credit Union TEL: 801-827-8353 ghowe...@americafirst.com -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Marcy Cortes Sent: Wednesday, September 24, 2014 21:38 To: LINUX-390@VM.MARIST.EDU Subject: Re: Bash specially-crafted environment variables code injection attack SUSE one has been out there for at least 5 hours https://download.suse.com/Download?buildid=e7IoZr2HcLE~ -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Mauro Souza Sent: Wednesday, September 24, 2014 7:01 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: [LINUX-390] Bash specially-crafted environment variables code injection attack I have downloaded a fix for Linux Mint, and installed the same file on Ubuntu. The fix for SuSE must be in production right now. Maybe we can install the RedHat version on SuSE until the official fix? -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Bash specially-crafted environment variables code injection attack
Thanks for the pointer to the SLES 11 fix. Does anyone know if there's a similar patch for SLES 10 SP4? Gerard Howells zLinux and z/VM Systems Administrator Enterprise Systems America First Credit Union TEL: 801-827-8353 ghowe...@americafirst.com -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Marcy Cortes Sent: Wednesday, September 24, 2014 21:38 To: LINUX-390@VM.MARIST.EDU Subject: Re: Bash specially-crafted environment variables code injection attack SUSE one has been out there for at least 5 hours https://download.suse.com/Download?buildid=e7IoZr2HcLE~ -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Mauro Souza Sent: Wednesday, September 24, 2014 7:01 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: [LINUX-390] Bash specially-crafted environment variables code injection attack I have downloaded a fix for Linux Mint, and installed the same file on Ubuntu. The fix for SuSE must be in production right now. Maybe we can install the RedHat version on SuSE until the official fix? -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Bash specially-crafted environment variables code injection attack
>>> On 9/24/2014 at 10:00 PM, Mauro Souza wrote: > The fix for SuSE must be in production right now. > > Maybe we can install the RedHat version on SuSE until the official fix? No. Don't even think about trying that. The result will likely be uglier than the vulnerability. And, as Marcy noted, the fix from SUSE was released today, just as everyone else has done. The way things like this work is that (assuming a discreet vulnerability report was made initially), the various Linux vendors "embargo" any public mention of the bug or fixes for it. Then, when the appropriate date arrives to end the embargo, public announcements are made, concurrent with publication of the fix. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Bash specially-crafted environment variables code injection attack
SUSE one has been out there for at least 5 hours https://download.suse.com/Download?buildid=e7IoZr2HcLE~ -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Mauro Souza Sent: Wednesday, September 24, 2014 7:01 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: [LINUX-390] Bash specially-crafted environment variables code injection attack I have downloaded a fix for Linux Mint, and installed the same file on Ubuntu. The fix for SuSE must be in production right now. Maybe we can install the RedHat version on SuSE until the official fix? -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Bash specially-crafted environment variables code injection attack
I have downloaded a fix for Linux Mint, and installed the same file on Ubuntu. The fix for SuSE must be in production right now. Maybe we can install the RedHat version on SuSE until the official fix? -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Bash specially-crafted environment variables code injection attack
CVE-2014-6271 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271> Summary: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Published: 9/24/2014 2:48:04 PM CVSS Severity: 10.0 <http://nvd.nist.gov/cvss.cfm?name=CVE-2014-6271&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C)&version=2.0> HIGH CVE-2014-6271 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271> at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271> Note this applies to all versions of bash. Red Hat has published fixes. I haven't seen any for SuSE Linux or Mac OS X, or anything else Easy test: $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test $ https://bugzilla.redhat.com/show_bug.cgi?id=1141597 <https://bugzilla.redhat.com/show_bug.cgi?id=1141597> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ <https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/> -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/