Slingshot Orbit of Technology

Even after upgrading bash you may still be vulnerable to this exploit. Try running the following code.

env testbug='() { (CEV-2014-7169)=>\' bash -c "echo date"; cat echo ; rm -f echo

If the above command outputs the current date (it may also show errors), you are still vulnerable.

To test for the vulnerability on your *nix systems just issue the following command as any user (doesn’t have to be root):

env testbug='() { :;}; echo VULNERABLE' bash -c "echo completed"

If you see this:

VULNERABLE
completed

It’s vulnerable, if it’s fixed or not vulnerable you should see this:

bash: warning: testbug: ignoring function definition attempt
bash: error importing function definition for `testbug'
completed

“Stephane Chazelas discovered a vulnerability in bash, related to how environment variables are processed: trailing code in function definitions was executed, independent of the variable name.”

In many common configurations, this vulnerability is exploitable over the network.

This vulnerability is actually really bad and you want to patch any Internet-facing systems ASAP! It allows remote, unauthenticated attackers to run code on vulnerable systems. It scores a 10 on the NVD severity scale: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

The good news is that it’s an easy fix:

Debian (Ubuntu, etc.):

sudo apt-get update
sudo apt-get upgrade bash

RHEL (Fedora, CentOS, etc.):

sudo yum update bash

Please refer to your operating system vendor’s instructions, for example:

• Ubuntu Linux: http://www.ubuntu.com/usn/usn-2362-1/
• Debian Linux: https://www.debian.org/security/2014/dsa-3032
• RedHat Linux: https://access.redhat.com/articles/1200223
• Amazon Linux: https://alas.aws.amazon.com/ALAS-2014-418.html

via: http://seclists.org/oss-sec/2014/q3/649

At the end of last week, Apple pushed iOS 7.0.6, updating a “data security” problem.

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

CVE-ID CVE-2014-1266

$ diff -urN <(curl -s http://opensource.apple.com/source/Security/Security-55179.13/libsecurity_ssl/lib/sslKeyExchange.c\?txt) \
    <(curl -s http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c\?txt) \
    | grep -A 7 627,6
@@ -627,6 +628,7 @@
         goto fail;
     if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
         goto fail;
+        goto fail;
     if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
         goto fail;