搜索

linux系统bash漏洞曝光，威胁巨大，bash修复方法

2014-9-25 10:40| 发布者: tianzc| 查看: 8027| 评论: 0

摘要: 红帽公司已经意识到影响所有版本的bash的包作为附带的Red Hat产品的一个漏洞。此漏洞CVE-2014-6271可能允许执行任意代码。某些服务和应用程序允许未经身份验证的远程攻击者提供的环境变量，使他们能够利用此问题。这 ...

红帽公司已经意识到影响所有版本的bash的包作为附带的Red Hat产品的一个漏洞。此漏洞CVE-2014-6271可能允许执行任意代码。某些服务和应用程序允许未经身份验证的远程攻击者提供的环境变量，使他们能够利用此问题。

这是如何影响系统

此问题会影响所有使用bash shell，然后解析环境变量的值的产品。这个问题是特别危险的，因为有许多可能的方法击可由应用程序调用。如果一个应用程序执行另一个二进制很多时候，巴什被调用，以实现这一目标。由于普遍使用的Bash shell的，这个问题是相当严重的，应受到同样的对待。

之前那些列为此问题的更新所有版本都容易受到一定的影响。

请参阅具体相应的补救文章。

受影响的产品：

产品/频道固定在包修复的详细信息

红帽企业Linux7的bash-4.2.45-5.el7_0.2红帽企业Linux

红帽企业Linux6的bash-4.1.2-15.el6_5.1红帽企业Linux

庆典 - 4.1.2-15.el6_5.1.sjis.1红帽企业Linux

庆典 - 4.1.2-9.el6_2.1红帽企业Linux6.2澳元

庆典 - 4.1.2-15.el6_4.1红帽企业Linux6.4 EUS

红帽企业Linux5的bash-3.2-33.el5.1红帽企业Linux

庆典 - 3.2-33.el5_11.1.sjis.1红帽企业Linux

庆典 - 3.2-24.el5_6.1红帽企业Linux5.6的LL

庆典 - 3.2-32.el5_9.2红帽企业Linux5.9 EUS

红帽企业Linux4的bash-3.0-27.el4.2的Red Hat Enterprise Linux 4中的ELS

因为任何一台机器上面列出的产品类不能确定连接是否它使作为客户端是一个脆弱的服务器的唯一谨慎的办法，以确保在任何机器上运行有漏洞的版本更新。

Products Affected:

Product/Channel	Fixed in package	Remediation details
Red Hat Enterprise Linux 7	bash-4.2.45-5.el7_0.2	Red Hat Enterprise Linux
Red Hat Enterprise Linux 6	bash-4.1.2-15.el6_5.1	Red Hat Enterprise Linux
	bash-4.1.2-15.el6_5.1.sjis.1	Red Hat Enterprise Linux
	bash-4.1.2-9.el6_2.1	Red Hat Enterprise Linux 6.2 AUS
	bash-4.1.2-15.el6_4.1	Red Hat Enterprise Linux 6.4 EUS
Red Hat Enterprise Linux 5	bash-3.2-33.el5.1	Red Hat Enterprise Linux
	bash-3.2-33.el5_11.1.sjis.1	Red Hat Enterprise Linux
	bash-3.2-24.el5_6.1	Red Hat Enterprise Linux 5.6 LL
	bash-3.2-32.el5_9.2	Red Hat Enterprise Linux 5.9 EUS
Red Hat Enterprise Linux 4	bash-3.0-27.el4.2	Red Hat Enterprise Linux 4 ELS

诊断步骤

要测试你的Bash版本是容易受到此问题，请运行以下命令：

Diagnostic Steps

To test if your version of Bash is vulnerable to this issue, run the following command:

$ env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"

If the output of the above command looks as follows:

vulnerable
this is a test

you are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:

$ env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

常见的配置示例：

红帽公司进行分析，以更好地理解这个问题的规模以及它如何影响各种配置。在下面的清单并不详尽，而且是为了使这一问题是如何影响某些配置中的一些例子，以及为什么复杂的高电平使得不可能指定的东西不会受到此问题。最好的行动当然是来砸升级到一个固定的版本。

包装说明

httpd的CGI脚本有可能受此问题的影响：当一个CGI脚本的Web服务器上运行，它使用的环境变量，将数据传递给脚本。这些环境变量可以被攻击者控制的。如果CGI脚本调用猛砸，该脚本可以执行任意代码的httpd的用户。 mod_php，并且，mod_perl的，和mod_python不要使用环境变量，我们相信他们不会受到影响。

安全Shell（SSH），这种情况并不少见，以限制远程命令，用户可以通过SSH运行，比如rsync的或饭桶。在这些情况下，这个问题可以被用来执行任何命令时，不只是局限于命令。

dhclient的动态主机配置协议客户端（dhclient的）被用来通过DHCP自动获取网络配置信息。该客户端使用不同的环境变量和运行bash来配置网络接口。连接到一个恶意的DHCP服务器可能允许攻击者在客户机上运行任意代码。

CUPS据认为，CUPS受此问题。各个用户提供的值被存储在环境变量中，当执行过滤器杯。

sudo的命令通过sudo运行不会受到这个问题。须藤专门查找环境变量也是功能。它仍然是可能的运行命令来设置环境变量，可能导致一个bash的子进程来执行任意代码。

火狐我们不认为Firefox的可以强制设置的方式一个环境变量，允许bash来执行任意命令。它仍然是可取的升级bash的，因为它是普通安装各种插件和扩展，它可能允许这种行为。

Postfix的Postfix服务器将与取代各种人物？虽然Postfix服务器并调用猛砸在以各种方式，我们不相信一个任意环境变量可以通过服务器进行设置。但也可以是一个过滤器可以设置环境变量。

该缺陷的更详细分析，请访问： https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack

Package	Description
httpd	CGI scripts are likely affected by this issue: when a CGI script is run by the web server, it uses environment variables to pass data to the script. These environment variables can be controlled by the attacker. If the CGI script calls Bash, the script could execute arbitrary code as the httpd user. mod_php, mod_perl, and mod_python do not use environment variables and we believe they are not affected.
Secure Shell (SSH)	It is not uncommon to restrict remote commands that a user can run via SSH, such as rsync or git. In these instances, this issue can be used to execute any command, not just the restricted command.
dhclient	The Dynamic Host Configuration Protocol Client (dhclient) is used to automatically obtain network configuration information via DHCP. This client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the client machine.
CUPS	It is believed that CUPS is affected by this issue. Various user supplied values are stored in environment variables when cups filters are executed.
sudo	Commands run via sudo are not affected by this issue. Sudo specifically looks for environment variables that are also functions. It could still be possible for the running command to set an environment variable that could cause a Bash child process to execute arbitrary code.
Firefox	We do not believe Firefox can be forced to set an environment variable in a manner that would allow Bash to run arbitrary commands. It is still advisable to upgrade Bash as it is common to install various plug-ins and extensions that could allow this behavior.
Postfix	The Postfix server will replace various characters with a ?. While the Postfix server does call Bash in a variety of ways, we do not believe an arbitrary environment variable can be set by the server. It is however possible that a filter could set environment variables.

常见问题

这是常见的漏洞CVE-2014-6271 Bash中。

我相信我的系统可能已被破坏，由于这个漏洞，我该怎么办？

用手机打开支持案例与红帽（https://access.redhat.com/support/cases/new）或联系红帽支持（https://access.redhat.com/support/contact/technicalSupport）。

我是否需要重新启动或安装此更新后重新启动服务？

不，一旦新的bash软件包安装，则不需要重新启动或重新启动任何服务。此问题只影响在Bash shell启动时，没有运行炮弹。升级包将确保正在使用的是固定的版本开始所有新的炮弹。

其他的炮弹容易受到此问题？

Red Hat已经在这个问题上测试其它炮弹。我们无法重现出现在Bash中的行为。如果类似的问题被发现在其他shell我们会发布更新，合适。

是否有针对此问题的任何可能的缓解措施？

解决方法：使用mod_security的：

下面mod_security的规则可以被用来拒绝包含数据可由击被解释为函数的定义，如果在它的环境中设置的HTTP请求。它们可以被用来阻止攻击的网络服务，如对上述的CGI程序的攻击。

Workaround: Using mod_security:

The following mod_security rules can be used to reject HTTP requests containing data that may be interpreted by Bash as function definition if set in its environment. They can be used to block attacks against web services, such as attacks against CGI applications outlined above.

Request Header values:

SecRule REQUEST_HEADERS "^\(\) {" "phase:1,deny,id:1000000,t:urlDecode,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

SERVER_PROTOCOL values:

SecRule REQUEST_LINE "\(\) {" "phase:1,deny,id:1000001,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

GET/POST names:

SecRule ARGS_NAMES "^\(\) {" "phase:2,deny,id:1000002,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

GET/POST values:

SecRule ARGS "^\(\) {" "phase:2,deny,id:1000003,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

File names for uploads:

SecRule  FILES_NAMES "^\(\) {"  "phase:2,deny,id:1000004,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271  - Bash Attack'"

These may result in false positives but it's unlikely, and they can log them and keep an eye on it. You may also want to avoid logging as this could result in a significant amount of log files.

Workaround: Using IPTables:

A note on using IPTables string matching:

iptables using -m string --hex-string '|28 29 20 7B|'

Is not a good option because the attacker can easily send one or two characters per packet and avoid this signature easily. However, it may provide an overview of automated attempts at exploiting this vulnerability.

注意：尽管有上述解决方法，红帽强烈建议应用安全顾问的修复这个问题