漏洞概述
今日Linux官方内置Bash中新发现一个非常严重安全漏洞(漏洞参考https://access.redhat.com/security/cve/CVE-2014-6271 ),黑客可以利用该Bash漏洞完全控制目标系统并发起攻击。
目前互联网上已经公布了一些通过更新官方补丁的方式修复该漏洞,但截止目前官方最新发布的漏洞被发现可以被安全研究者绕过,目前尚无非常有效的直接修复方法,在此之前建议使用加速乐进行防护。
利用场景
如下业务场景中都会受此缺陷影响:
1、OpenSSH sshd使用了ForceCommand特性
ForceCommand特性用来给远程用户**受限的命令执行能力,因此使用了此特性的如git、subversion等都会受影响。
2、Apache HTTP Server使用了modcgi和mod_cgid模块;
在Apache Server启用了modcgi和mod_cgid模块时,只要CGI脚本是由bash编写,或者使用了派生的subshell都会受影响。能够产生这样的subshell的包括:
C语言的system/popen,Python的os.system/os.popen,PHP的system/exec,Perl的open/system。
验证方法
验证是否存在次漏洞的方法:
在linux中输入红色部分命令,如果可以输出当前时间,则代表存在此漏洞。
$ env -i X='() { (a)=>\' bash -c 'echo date'; cat echo
bash: X: line 1: syntax error near unexpected token `=’
bash: X: line 1: `’
bash: error importing function definition for `X’
Wed Sep 24 14:12:49 PDT 2014
互联网上公布的一些修复方法
目前互联网上已经公布了一些通过更新官方补丁的方式修复该漏洞,但截止目前官方最新发布的漏洞被发现可以被安全研究者绕过,目前部分官方已经重新发布补丁,有些还没有,在此之前建议使用加速乐进行防护,同时建议密切关注操作系统关方更新。
CentOsS:
yum clean all
yum –enablerepo=updates install bash
Ubuntu:
apt-get update
apt-get install bash
-------------------------
Bash (GNU Bourne-Again SHell) is a common command line interface (shell) for newer styles of UNIX-like operating systems. It’s favored by Linux distributions and OS X because it is a little more user friendly than other shells. It has also had a 22 year old bug that allows an attacker possibly remotely execute arbitrary commands on the victim’s machine, typically as root.Read the full CVE-2014-6271 CERT report.
What does this mean for us OS X users? Well, not much, unless you run DHCP or Internet Connection Sharing (which uses DHCP) which could allow remote command execution.
What does this mean for your Linux box? If you have any idiotic applications that allow remote input, such as a form or setup script that passes unchecked variables to Bash, you’re in big trouble.
Implications are all over the place: Huge DDoS botnets powered by massively connected machines. People’s data being compromised everywhere. Scanners executing a simple command such as rm -rf / which will simply nuke the entire server’s disk… It’s going to be messy for people that have followed poor development and security practices with their web applications, stats, log analysis software, or any application that passes external input to bash.
This doesn’t impact BSD (by default), which for the most part has shunned Bash since it’s beginning favoring a different shell called cshell (csh). It also probably not heavily impact services like Facebook and Google, because they shouldn’t be allowing shell calls from web applications and their user access should be limited to trusted applications and users anyway.
WAFs (Web Application Firewalls) are a huge help in this situation. Rather than wait for all of your services to be patched you can deploy a rule or have your WAF service deploy a rule that can block this attack vector. I consider this a huge advantage when combatting new exploits.
Anyway, it’s time to get patching and expect the Internet to be a little messy for the next few months.
今日Linux官方内置Bash中新发现一个非常严重安全漏洞(漏洞参考https://access.redhat.com/security/cve/CVE-2014-6271 ),黑客可以利用该Bash漏洞完全控制目标系统并发起攻击。
目前互联网上已经公布了一些通过更新官方补丁的方式修复该漏洞,但截止目前官方最新发布的漏洞被发现可以被安全研究者绕过,目前尚无非常有效的直接修复方法,在此之前建议使用加速乐进行防护。
利用场景
如下业务场景中都会受此缺陷影响:
1、OpenSSH sshd使用了ForceCommand特性
ForceCommand特性用来给远程用户**受限的命令执行能力,因此使用了此特性的如git、subversion等都会受影响。
2、Apache HTTP Server使用了modcgi和mod_cgid模块;
在Apache Server启用了modcgi和mod_cgid模块时,只要CGI脚本是由bash编写,或者使用了派生的subshell都会受影响。能够产生这样的subshell的包括:
C语言的system/popen,Python的os.system/os.popen,PHP的system/exec,Perl的open/system。
验证方法
验证是否存在次漏洞的方法:
在linux中输入红色部分命令,如果可以输出当前时间,则代表存在此漏洞。
$ env -i X='() { (a)=>\' bash -c 'echo date'; cat echo
bash: X: line 1: syntax error near unexpected token `=’
bash: X: line 1: `’
bash: error importing function definition for `X’
Wed Sep 24 14:12:49 PDT 2014
互联网上公布的一些修复方法
目前互联网上已经公布了一些通过更新官方补丁的方式修复该漏洞,但截止目前官方最新发布的漏洞被发现可以被安全研究者绕过,目前部分官方已经重新发布补丁,有些还没有,在此之前建议使用加速乐进行防护,同时建议密切关注操作系统关方更新。
CentOsS:
yum clean all
yum –enablerepo=updates install bash
Ubuntu:
apt-get update
apt-get install bash
-------------------------
Bash (GNU Bourne-Again SHell) is a common command line interface (shell) for newer styles of UNIX-like operating systems. It’s favored by Linux distributions and OS X because it is a little more user friendly than other shells. It has also had a 22 year old bug that allows an attacker possibly remotely execute arbitrary commands on the victim’s machine, typically as root.Read the full CVE-2014-6271 CERT report.
What does this mean for us OS X users? Well, not much, unless you run DHCP or Internet Connection Sharing (which uses DHCP) which could allow remote command execution.
What does this mean for your Linux box? If you have any idiotic applications that allow remote input, such as a form or setup script that passes unchecked variables to Bash, you’re in big trouble.
Implications are all over the place: Huge DDoS botnets powered by massively connected machines. People’s data being compromised everywhere. Scanners executing a simple command such as rm -rf / which will simply nuke the entire server’s disk… It’s going to be messy for people that have followed poor development and security practices with their web applications, stats, log analysis software, or any application that passes external input to bash.
This doesn’t impact BSD (by default), which for the most part has shunned Bash since it’s beginning favoring a different shell called cshell (csh). It also probably not heavily impact services like Facebook and Google, because they shouldn’t be allowing shell calls from web applications and their user access should be limited to trusted applications and users anyway.
WAFs (Web Application Firewalls) are a huge help in this situation. Rather than wait for all of your services to be patched you can deploy a rule or have your WAF service deploy a rule that can block this attack vector. I consider this a huge advantage when combatting new exploits.
Anyway, it’s time to get patching and expect the Internet to be a little messy for the next few months.
from http://www.blyon.com/this-bash-bug-will-be-a-mess/
