Engine Yard Developer Center

CVE-2014-6271 Scope, impact, and resolution

Update (October 9th, 3:15pm PT)

The hotfix has been released and you can read the release notes here. The security patches are now available via the Upgrade button in your environment.

 

Update (October 7th, 3:15pm PT)

Our security patches have been updated to provide additional assurance that all six known vulnerabilities have been eliminated.  We recommend applying these patches during a time convenient for you over the next 48 hours in order to minimize disruption to your operations.  When you are ready to install these updates, SSH into your desired instance(s) and run:

 

    ‘sudo eix-sync && sudo emerge app-shells/bash’


These new changes will be available via the Upgrade button by 5pm PT on Thursday, October 9th.

 

Update (October 7th, 8:09am PT)

We have determined that CVE-2014-6277 is a vulnerability on systems that were previously patched for it.  We are investigating the matter and will have an update on the situation shortly.

 

Update (October 1st, 5:00pm PT)

Customers can now patch for the following vulnerabilities:

       CVE-2014-6271 

       CVE-2014-6277

       CVE-2014-6278

       CVE-2014-7169 

       CVE-2014-7186

       CVE-2014-7187

 

If the Upgrade button is enabled just click Upgrade to apply patches for all six CVEs. No other action is needed on your part if your button was enabled and you successfully upgraded using that. You do not need to read the next section.

 

If the Upgrade button is not enabled, customers can manually SSH into the desired instance(s) and run:

 

       ‘sudo eix-sync && sudo emerge app-shells/bash’

 

or simply wait until tomorrow’s update.  Tomorrow, once customers are upgraded to the new cookbooks version, the behavior of the Apply button will include checking for any new or missing Bash vulnerability patches.  We will update this post once that functionality is ready.  

 

Newly created instances now include all available patches for the above vulnerabilities.  NOTE: Environments that have not been upgraded prior to September 25th are at risk of missing these patches from the aforementioned automations.

 

More information will follow as we continue to watch for new threats.

Update (September 30th, 9:20pm PT)

In addition to the aforementioned vulnerabilities, our tests confirm CVE-2014-7187 has been successfully patched. 

 

Update (September 30th, 7:40pm PT)

Listed below, the following vulnerabilities can be addressed by clicking Upgrade on your respective environments via the Cloud dashboard.  Managed customers will have patches automatically applied at 9am local server time via Puppet:

 

CVE-2014-6271 (initial vulnerability)

CVE-2014-7169

CVE-2014-7186

 

We are currently reviewing the latest patch for CVE-2014-7187 and will have additional information as soon as possible.  


Additional updates shall follow as we continue to watch for additional developments.

 

Update (September 30th, 12:18pm PT)

An official (yet partial) update has been released for 2014-7186 & 2014-7187.  Our engineers are reviewing the code in preparation for an update to Engine Yard customers.  Once it is determined the update will safely resolve the cited vulnerabilities, we will update this post again with installation instructions.

 

Update (September 29th, 7:07pm PT)

We have no new information to present at this time.  Updates to the situation will be posted as soon as new information is available.

 

Update (September 29th, 11:17am PT)

We are currently reviewing the following newly disclosed vulnerabilities related to Shellshock:

 

2014-6277 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277

2014-6278 - No public details yet

2014-7186 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186

2014-7187 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187

 

In addition to assessing these concerns, we will continue to watch for new threats as they emerge and apply our findings to this post.

 

Update (September 26th, 1:30pm PT)

The second revision of the bash security update is now available which addresses both CVE-2014-6271 and CVE-2014-7169. Performing the following steps will update your instance even if you have not updated to the previous revision:

  1. SSH into your instance via your preferred method.

  2. Run the command: sudo eix-sync && sudo emerge app-shells/bash

We will update this post as any new information becomes available.  To review details on both vulnerabilities, see the National Vulnerability Database:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

 

Update (September 26th, 10:45am PT)

Our developers are reviewing the latest available patch for the related vulnerability, CVE-2014-7169.  Once the review and testing process is complete, we will update this post again with the accompanying update instructions.  Our goal is to have this completed as quickly as possible with an update for you later today.

 

Update (September 25th, 2:50pm PT)

Completely patching the vulnerability will require multiple iterations as the situation continues to develop.  However, the first stage of this patch is now available for Engine Yard customers.  You may apply the patch dubbed ‘R1’ by following these steps:

  1. SSH into your instance via your preferred method.

  2. Run the command: sudo eix-sync && sudo emerge app-shells/bash

If you have any questions, concerns, or issues applying this patch then please contact our Application Support team by submitting a support ticket.

 

This post will be updated again once we have additional information.

 

Issue

A vulnerability with Bash has been discovered--affecting Debian, Ubuntu, Gentoo, and other Linux distributions--which allows arbitrary code to be executed by a remote attacker on the applicable host.  

Any hosted applications which pass unsanitized variables to a shell command are potentially included in this vulnerability. Therefore, these applications are at risk of further exploit if an attack proves successful.

Solution

Engine Yard engineers are actively working through the official patches to have them available as soon as possible for our customers.  The projected completion time is early business hours tomorrow, September 25th.  Patch instructions will follow.

Further updates will be posted as available.  Be sure to subscribe to this Known Issue to receive prompt email notifications.  

Affected Gentoo Bash versions

bash-3.1_p18

bash-3.2_p52

bash-4.0_p39

bash-4.1_p12

bash-4.2_p48

More Information

We are here to support you! If you have any questions or concerns, please open a ticket with our Support Team here: https://support.cloud.engineyard.com/tickets/new

Was this article helpful?
10 out of 10 found this helpful
Have more questions? Submit a request

Comments

  • Avatar
    Matt Grosso

    to validate the vulnerability you can do:

     

    @@@

    tm50-s00411 bash-3.2.48 # env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

    bash: warning: x: ignoring function definition attempt

    bash: error importing function definition for `x'

    this is a test

    tm50-s00411 bash-3.2.48 #

    @@@

     

  • Avatar
    Jason Ives

    Will our instances be updated by EY, or will we need to do that ourselves?

  • Avatar
    Chris Reid

    Any ETA on the patch?

  • Avatar
    Pete Brumm

    You can do this manually on each instance:

    $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" 

    vulnerable 

    this is a test 

    $ sudo emerge --sync 

    $ sudo emerge --update bash 

    $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" 

    bash: warning: x: ignoring function definition attempt 

    bash: error importing function definition for `x' 

    this is a test

    Not optimal, but better than waiting.

  • Avatar
    Chris Reid

    OK- good to know. I had assumed the fix wasn't available in the package manager yet.

  • Avatar
    Matthew Ford

    Thanks for the update - would be great if this could be added to the base chef scripts, perhaps when CVE-2014-7169 is fixed?

  • Avatar
    Yves-Eric Martin

    Would it be possible to use "ey ssh" to update all the instances of an environment with a single command?

  • Avatar
    Yu Kitazume

    you can check it here

    $ey ssh "$env x='() { :;}; echo vulnerable' bash -c \"echo this is a test\"" --all

    and update here

    $ey ssh "sudo eix-sync && sudo emerge app-shells/bash" --all

  • Avatar
    Yves-Eric Martin

    Thank you Kitazume-san, that worked like a charm!

  • Avatar
    Thibaut Barrère

    Is CVE-2014-7169 (and not only the original CVE-2014-6271) already covered by the current version available via emerge?

    (see https://www.debian.org/security/2014/dsa-3035)

    If not, can EY update here when a new package will be available?

    Thanks for your support!

  • Avatar
    BLiNQ Admin

    It doesnt look like the patch for CVE-2014-7169 is available yet. Refer to this advisory from Red Hat on how to test for it. https://access.redhat.com/articles/1200223

    Updating bash via emerge and then testing using this command 

    cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo

     

    It looks like it hasnt been fixed yet.

  • Avatar
    Pete Brumm

    @BLINKQ Admin what Engine Yard stack are you running? We're running the v4 stack, and after patching, we see this:

    $ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

    bash: warning: x: ignoring function definition attempt

    bash: error importing function definition for x'
    bash: error importing function definition for
    BASH_FUNC_x()'

    test

    According to the RedHat url you referenced, this is not vulnerable.

  • Avatar
    BLiNQ Admin

    Daniel, in the RedHat url - refer to this section:

    The fix for CVE-2014-7169 ensures that the system is protected from the file creation issue. To test if your version of Bash is vulnerable to CVE-2014-7169, run the following command:

    $ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo

    bash: x: line 1: syntax error near unexpected token ='
    bash: x: line 1:
    ' bash: error importing function definition for `x'

    Fri Sep 26 11:49:58 GMT 2014

    If your system is vulnerable, the time and date information will be output on the screen and a file called /tmp/echo will be created.

    If your system is not vulnerable, you will see output similar to:

    $ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo

    date

    cat: /tmp/echo: No such file or directory

  • Avatar
    Pete Brumm

    Thanks @BliNQ Admin. Too hasty on my part. Didn't notice that even though the page was CVE-2014-7169, that step was for CVE-2014-6271. Thanks again!

  • Avatar
    Matthew Daimler

    The EY suggested commands did not work for me, but Daniel Nelsons suggestions did. Thanks Daniel!

  • Avatar
    Thibaut Barrère

    Fwiw, I think an second updated version of bash seems to be available via emerge.

    I initially patched for exploit 1 as seen on https://shellshocker.net/ (the original exploit).

    Then later I tried the second command listed at https://shellshocker.net/ (which is for exploit 2 CVE-2014-7169), and my host was marked vulnerable.

    Then I ran emerge again, and exploit 2 wasn't passing anymore.

    Exploit 3 still hasn't got a CVE at time of writing, and the latest emerge bash seems to output the date.

  • Avatar
    Thibaut Barrère

    Just noticed the updated post which mentions that the second patch is indeed available.

  • Avatar
    Keri Meredith
  • Avatar
    Thibaut Barrère

    Looks like another CVE (CVE-2014-6277) is on the way. The author of this blog post has apparently doing some fuzzy testing and strongly recommend applying Florian's patch (see the last paragraph of http://lcamtuf.blogspot.fr/2014/09/bash-bug-apply-unofficial-patch-now.html).

    Is this patch already bundled in the latest bash available version via emerge?

  • Avatar
    Thibaut Barrère

    Looks like indeed Florian's patch has been included in RHEL, If I believe https://news.ycombinator.com/item?id=8378203.

  • Avatar
    Thibaut Barrère

    CVE-2014-6278 is now covered here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278

    On my machine though, after applying the 3rd revision of bash, the bash script at https://shellshocker.net/ reports as not vulnerable (and at time of writing, the script report no vulnerability).

  • Avatar
    Keri Meredith

    The hotfix has been released and you can read the release notes here. The security patches are now available via the Upgrade button in your environment.

     

Please sign in to leave a comment.

Powered by Zendesk