Security

From BubbaWiki
Jump to: navigation, search


This site lists steps to secure the B3 against vulnerabilities that were discovered after the last official web update (2.6.0.2) was released by Excito.

Shellshock

Introduction

Shellshock (CVE-2014-6271) is the name of a bash bug recently discovered by Stéphane Chazelas that has been existing since roughly 1992. The following code allows testing for this vulnerability:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will print

vulnerable
this is a test

whereas on a patched system the string vulnerable will not be printed.

While working on the bug, another severe flaw was discovered (CVE-2014-7169). Check for this vulnerability with the following line of code:

env X='() { (a)=>\' bash -c "echo date"; cat echo

CAUTION: On a vulnerable system, bash will report something like

bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
<current date>

printing and saving the system date (<current date>) at execution time to a file called echo. A fixed system will report

date
cat: echo: No such file or directory

while not creating a file named echo.

Fix

MouettE compiled the latest bash from source using the Debian squeeze LTS repository.

The complete file list of the build is as follows:

Install the fixed bash version by running the following commands as root user:

wget http://files.la-mouette.net/bubba/bash_4.1-3+deb6u2_armel.deb
dpkg -i bash_4.1-3+deb6u2_armel.deb

The first command downloads the file marked bold from above, while the second installs the downloaded package.