Security

From BubbaWiki
Jump to navigation Jump to search


This site lists steps to secure the B3 against vulnerabilities that were discovered after the last official web update (2.6.0.2) was released by Excito.

Shellshock

Introduction

Shellshock (CVE-2014-6271) is the name of a bash bug recently discovered by Stéphane Chazelas that has been existing since roughly 1992. The following code allows testing for this vulnerability:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will print

vulnerable
this is a test

whereas on a patched system the string vulnerable will not be printed.

While working on the bug, another severe flaw was discovered (CVE-2014-7169). Check for this vulnerability with the following line of code:

env X='() { (a)=>\' bash -c "echo date"; cat echo

CAUTION: On a vulnerable system, bash will report something like

bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
<current date>

printing and saving the system date (<current date>) at execution time to a file called echo. A fixed system will report

date
cat: echo: No such file or directory

while not creating a file named echo.

Fix

MouettE compiled the latest bash from source using the Debian squeeze LTS repository.

The complete file list of the build is as follows:

Install the fixed bash version by running the following commands as root user:

wget http://files.la-mouette.net/bubba/bash_4.1-3+deb6u2_armel.deb
dpkg -i bash_4.1-3+deb6u2_armel.deb

The first command downloads the file marked bold from above, while the second installs the downloaded package.