[Tanel]

Linuxipakendaja RedHati insenerid tuvastasid bashi shellist üliohtliku turvaaugu, mis nüüd kõnekeeles nimeks saanud Shellshock. Ohuaste on kümnepalli süsteemis maksimaalne ehk 10 palli ning seda just ärakasutamise lihtsuse poolest.

Paljudes linuxil põhinevates süsteemides (lisaks ka näiteks OS X peal) kasutatav bash lubas kenasti keskkonna kirjeldamiseks käivitava käsu env puhul kontrollimata õiguste olemasolu jagada õiguseid süsteemi tasemel. Pahandus tulebki sellest, et suvaline protsess – kas siis shellis olles või shelli protsessi kuidagi määratledes saab juurdepääsu süsteemile endale. Siinkohal võib vast näiteks tuua juba kiirelt ilmunud botneti, mis muuseas kasutab ära avaliku veebiteenuse sees oleva CGI kaudu privileegide omandamist. Esimene turvapaik ei pruugi aga olukorda kuidagi lahendada, sest asja uurivad spetsialistid on leidnud juba paigatud masinates veelgi võimalusi rünnete sooritamiseks. Seega on ainsaks mõistlikuks lahenduseks pidevalt bash pakki uuendada ja seejuures mitte ära unustada ka teiste süsteemiuuenduste paigaldamist.

Allikas: http://uus.minut.ee/shellshock-suurem-turvaauk-kui-heartbleed/
Loe ka: https://kyberkirjutised.ria.ee/oluline-paik-susteemidele-milles-kasutusel-binbash/

[tahanteada]

Niipalju lisaks, et välismaised Turvalingid kirjutavad sellest probleem-teemast palju pikemalt ja pöhjalikumalt.

Näiteks:

Hackers Using 'Shellshock' Bash Vulnerability to Launch Botnet Attacks

http://thehackernews.com/2014/09/Shellshock-Bash-Vulnerability-exploit.html
--------------------------
PS: Ja HVF-i Uudisvihjetes oli olemas selle Probleemi esmane teemakäsitlus juba paar päeva tagasi, seega teised Eesti netiallikad magasid mitu päeva selle turvateema maha.
https://foorum.hinnavaatlus.ee/viewtopic.php?t=622299

[Dogbert]

Debianis lapitud neljapäevase seisuga.

[klf]

[ufo56]

[tahanteada]

Paistab, et Apple on üsna optimistlik selle probleemi juues:

Apple — Most Mac OS X Users Not Vulnerable to 'Shellshock' Bash Bug

http://thehackernews.com/2014/09/apple-most-mac-os-x-users-not_26.html

[dksvertix]

Enamus turvaauke eksisteerib tegelikult juba üle kümne aasta. Osadele firmadele käib valitsus hunniku pappi välja, et nad esiteks, ei avalikustaks turvariske ja teiseks, et nad ei lapiks neid auke kinni. Ja kui firma keeldub maksumaksja raha vastuvõtmisest maksumaksja enda vastu kasutamiseks, siis tehakse nendele firmadele USA moodi läbirääkimist-jõukasutust - ähvardatakse meedias terroristiks tembeldamisega ja "vabatahtliku" Guantanamo Bay vangikongi visiidiga. Ja no muidugi, lihtinimene, kui tal juba näiteks teler on, see usub absoluutselt kõike mis sealt tuleb. Kunagi ei osata näha detaile, või pigem nende olemasolu puudumist, ega esita õigeid küsimusi, nõuda täpsustust. Perfektne diktatuur.

[olka]

vanad mitte vajalikud augud kinni, uued jäävad lahti, et saaks edasi luurata.

[tahanteada]

Hetkel näitab CVE Details, et tegemist on siis kahe avastatud probleemiga:

GNU » Bash » 4.3 : Security Vulnerabilities

http://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-21050/version_id-172000/GNU-Bash-4.3.html

[aht0]

Õigem oleks vast "bashshock".. teisi shelle, näiteks C-shelle nagu csh või tcsh, see ju vähimalgi määral ei puuduta

OS X'l ei vedanud. Kuni 10.2.8'ni kasutas tcsh-d, 10.3 ja uuemad bash'i

[Dogbert]

Debianis teine bash auk lapitud reedese seisuga, eelmise puhul eksisin - kolmapäevase seisuga oli lapitud.

[VeixES]

Pidu ei ole veel läbi:

http://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shellshock-becomes-whack-a-mole/

http://seclists.org/oss-sec/2014/q3/747

[tahanteada]

FSF on siis ka pikema jutu kirjutanud, tösi, see on juba mitu päeva tagasi avaldatud aga nüüd siis rohkem liikvel:
por Free Software Foundation — Published on 25/09/2014 16h51

Free Software Foundation statement on the GNU Bash "shellshock" vulnerability
A major security vulnerability has been discovered in the free software shell GNU Bash. The most serious issues have already been fixed, and a complete fix is well underway. GNU/Linux distributions are working quickly to release updated packages for their users. All Bash users should upgrade immediately, and audit the list of remote network services running on their systems.

Bash is the GNU Project's shell; it is part of the suite of software that makes up the GNU operating system. The GNU programs plus the kernel Linux form a commonly used complete free software operating system, called GNU/Linux. The bug, which is being referred to as "shellshock," can allow, in some circumstances, attackers to remotely access and control systems using Bash (and programs that call Bash) as an attack vector, regardless of what kernel they are running. The bug probably affects many GNU/Linux users, along with those using Bash on proprietary operating systems like Apple's OS X and Microsoft Windows. Additional technical details about the issue can be found at CVE-2014-6271 and CVE-2014-7169.

GNU Bash has been widely adopted because it is a free (as in freedom), reliable, and featureful shell. This popularity means the serious bug that was published yesterday is just as widespread. Fortunately, GNU Bash's license, the GNU General Public License version 3, has facilitated a rapid response. It allowed Red Hat to develop and share patches in conjunction with Bash upstream developers efforts to fix the bug, which anyone can download and apply themselves. Everyone using Bash has the freedom to download, inspect, and modify the code -- unlike with Microsoft, Apple, or other proprietary software.

Software freedom is a precondition for secure computing; it guarantees everyone the ability to examine the code to detect vulnerabilities, and to create new and safe versions if a vulnerability is discovered. Your software freedom does not guarantee bug-free code, and neither does proprietary software: bugs happen no matter how the software is licensed. But when a bug is discovered in free software, everyone has the permission, rights, and source code to expose and fix the problem. That fix can then be immediately freely distributed to everyone who needs it. Thus, these freedoms are crucial for ethical, secure computing.

Proprietary, (aka nonfree) software relies on an unjust development model that denies users the basic freedom to control their computers. When software's code is kept hidden, it is vulnerable not only to bugs that go undetected, but to the easier deliberate addition and maintenance of malicious features. Companies can use the obscurity of their code to hide serious problems, and it has been documented that Microsoft provides intelligence agencies with information about security vulnerabilities before fixing them.

Free software cannot guarantee your security, and in certain situations may appear less secure on specific vectors than some proprietary programs. As was widely agreed in the aftermath of the OpenSSL "Heartbleed" bug, the solution is not to trade one security bug for the very deep insecurity inherently created by proprietary software -- the solution is to put energy and resources into auditing and improving free programs.

Development of Bash, and GNU in general, is almost exclusively a volunteer effort, and you can contribute. We are reviewing Bash development, to see if increased funding can help prevent future problems. If you or your organization use Bash and are potentially interested in supporting its development, please contact us.

The patches to fix this issue can be obtained directly at http://ftp.gnu.org/gnu/bash/.

http://www.disney.com/news/free-software-foundation-statement-on-the-gnu-bash-shellshock-vulnerability
----------------------
Edit: Paistab sedamoodi, et ka Apple on siis parandused välja lasknud:
Apple Releases OS X Bash Update 1.0 to Address "Shellshock" on Three OS X Versions

http://news.softpedia.com/news/Apple-Releases-OS-X-Bash-Update-1-0-to-Address-quot-ShellShock-quot-on-Three-OS-X-Versions-460384.shtml
-------------------------------------
Ja järgmine jutt siis:

OpenVPN Servers Vulnerable to Shellshock
Servers with OpenVPN open-source software package for running connections through a virtual private network for security reasons, can be abused by leveraging the Shellshock bug in Bash command-line tool for Linux.

OpenVPN basically allows the creation of a tunnel between the client and a secure server that intermediates the connection to the intended target. It relies on a custom security protocol using SSL/TLS for exchanging the encryption keys.

Compromising these servers can happen because the software includes configuration options that permit calling custom commands during the tunnel session.

Fredrik Strömberg, co-founder of Swedish VPN company Mullvad, says in a post that many of the commands called already have the variables set and in some cases they can be controlled by the client.

“One option used for username+password authentication is "auth-user-pass-verify". If the called script uses a vulnerable shell, the client simply delivers the exploit and payload by setting the username,” he adds.

The researcher made the discovery last week and contacted the OpenVPN maintainers. Providers of VPN services using this package can avoid the Shellshock trouble by making sure that Bash is not used for running scripts.

Another way to guard against a possible compromise is to apply the existent patch for Bash. Florian Weimer created a fix for the issue, which appears to lock most of the doors for exploiting the 22-year-old glitch in Bash.

After the original Shellshock vulnerability, five others followed after attempts to provide a patch failed; the last two have not been publicly disclosed yet.

http://news.softpedia.com/news/OpenVPN-Servers-Vulnerable-to-Shellshock-460534.shtml