BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>

Message

perdido · #166 Post by **perdido** » Fri 10 Oct 2014, 19:43

mavrothal wrote:Bash-3.0.22.
Passes all tests.

Keep in mind that although older versions may not be vulnerable to given exploits, newer versions have better solutions for the given problems (till the next version of course... )

Puppy 4.1.2 friendly version that does not break frisbee.

Thanks!

.

ozsouth · #167 Post by **ozsouth** » Fri 10 Oct 2014, 21:18

Oscar Talks' slacko pet passes all 7 tests in slacko 5.7 & 5.7.0

http://smokey01.com/OscarTalks/bash-4.2 ... ko14.0.pet

James C · #168 Post by **James C** » Fri 10 Oct 2014, 22:32

Latest Bash from Slackware in Slacko64-5.9.1.

Code: Select all

# bash --version
GNU bash, version 4.2.50(2)-release (x86_64-slackware-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Code: Select all

# curl --insecure https://shellshocker.net/shellshock_test.sh | bash 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2627  100  2627    0     0   4343      0 --:--:-- --:--:-- --:--:--  5350
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
bash: line 50: 12499 Segmentation fault      bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2> /dev/null
CVE-2014-7186 (redir_stack bug): VULNERABLE
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

prehistoric · #169 Post by **prehistoric** » Fri 10 Oct 2014, 22:45

@James C,

See the explanation I added to my post concerning Fatdog 700 b1 and back porting to patch 630-631. We are now using slaptget packages so this may work for your system also.

gcmartin · #170 Post by **gcmartin** » Sat 11 Oct 2014, 16:47

Hello @Prehistoric and @James C. You may have noticed the difference in BASH version each is testing to yield your results.

@Prehistoric, if possible and time permits, could you boot a Lighthouse64 ISO?

prehistoric · #171 Post by **prehistoric** » Sat 11 Oct 2014, 19:48

@gcmartin,

When I got a fast download of Lighthouse Pup 6.02 b2, I ran a quick experiment of dropping in the binary from /bin/bash in Fatdog 700 b1. The version named in the prompt needs to be updated, and likely a few other files. This appears to work, but obviously it is not carefully tested to see if it breaks anything else. I'll leave that to people familiar with Lighthouse Puppy.

Code: Select all

bash-4.1# bash --version
GNU bash, version 4.2.52(2)-release (x86_64-unknown-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
<root> ~
bash-4.1# curl --insecure https://shellshocker.net/shellshock_test.sh | bash 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2627  100  2627    0     0   6191      0 --:--:-- --:--:-- --:--:--  6931
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
<root> ~
bash-4.1#

James C · #172 Post by **James C** » Sun 12 Oct 2014, 06:42

Slacko 5.7 from the Updates Manager.

Code: Select all

# curl --insecure https://shellshocker.net/shellshock_test.sh | bash 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2627  100  2627    0     0   6177      0 --:--:-- --:--:-- --:--:--  7297
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

Code: Select all

# bash --version
GNU bash, version 4.2.50(2)-release (i486-slackware-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
#

Bird Dog · #173 Post by **Bird Dog** » Sun 19 Oct 2014, 22:50

I would just like to thank all those who helped resolve this bash threat especially dejan 555, mavrothal, Geoffrey and james C.Its nice there a knowledgeable people who will help in times of need.
I am running precise 5.6.1 and I used dejans bash 4.3.30 dpup 487 and everything is not vulnerable. Unfortunately I haven't figured out how to paste from the terminal.
If precise 5.7.1 was to be recommended to a new member would this bash update and the heartbleed update proviided by shinobar be all that was necessary for a secure operating system?

Thanks Bird Dog

prehistoric · #174 Post by **prehistoric** » Mon 20 Oct 2014, 00:04

@Bird Dog,

You probably want to update your browser, and use an extension which disables SSLv3 to avoid the POODLE vulnerability. SSLv3 is going away from all major browsers soon in any case. If the server demands SSL, and not TLS, it probably has other vulnerabilities stemming from old software. There are banks in this category.

This is not exactly a vulnerability in Puppy, but it is a weakness in secure communication which could compromise sensitive data. A man-in-the-middle could interfere with TLS connections, and cause fallback to SSL, if your browser allows this.

watchdog · #175 Post by **watchdog** » Mon 20 Oct 2014, 05:18

prehistoric wrote:@Bird Dog,

You probably want to update your browser, and use an extension which disables SSLv3 to avoid the POODLE vulnerability.

In firefox I use:

https://addons.mozilla.org/it/firefox/a ... l/?src=api

rolf · #176 Post by **rolf** » Mon 20 Oct 2014, 16:33

watchdog wrote:
prehistoric wrote:@Bird Dog,

You probably want to update your browser, and use an extension which disables SSLv3 to avoid the POODLE vulnerability.
In firefox I use:

https://addons.mozilla.org/it/firefox/a ... l/?src=api

Thanks. I had to find an EN page:

SSL Version Control 0.2 wrote:As of version 0.2, this add-on should work with all Mozilla products, including Firefox, Firefox for Android, Thunderbird, and Seamonkey.

When I installed, I think I had to "Download anyway" but it seems to be working OK in

User agent: Mozilla/5.0 (X11; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0 SeaMonkey/2.18
Build identifier: 20130502195722

From the little I've read, this looks like a relatively recently documented security flaw that I had not heard anything about. Thanks for that, too.

8Geee · #177 Post by **8Geee** » Tue 21 Oct 2014, 03:10

I also use V.C.SSL 0.2. One thing about it that annoys me is that it auto-logins using TLS 1.0. After starting FF, one has to manually select either 1.1 or 1.2 versions. On browser-close, the setting reverts to TLS 1.0.

And of course for the security minded folks about config should be editted basically to allow anything with 256 in the name (especially sha256) and false those without 256 in the name.

Supposedly FF34 will remove ssl3 validations of all types, and eliminate rc4 logins.

bark_bark_bark · #178 Post by **bark_bark_bark** » Tue 21 Oct 2014, 12:40

In Seamonkey, All I had to do was uncheck the SSl 3 checkbox.

rolf · #179 Post by **rolf** » Tue 21 Oct 2014, 13:06

I tried setting SSL Version Control 0.2 to TLS 1.2 in the dropdown. I haven't had any problems with websites, yet, don't know if it is doing anything, and there is no longer a dropdown menu to select the version in this extension's preferences.

perdido · #180 Post by **perdido** » Tue 21 Oct 2014, 15:11

rolf wrote:I tried setting SSL Version Control 0.2 to TLS 1.2 in the dropdown. I haven't had any problems with websites, yet, don't know if it is doing anything, and there is no longer a dropdown menu to select the version in this extension's preferences.

This site tells you which SSL/TLS you are using.

https://www.howsmyssl.com/

edit: forgot to mention I am using Firefox 16 Nightly and I had turned off SSL 3.0 before I went to this site. The site warned about a vulnerable cipher key, Firefox had not turned off the following vulnerable SSL 3.0 cipher key, security.ssl3.rsa_fips_des_ede3_sha, which was still marked as "true" in about:config , after changing to "false" the only warning received from the connection was the browser is using TLS 1.0

.

8Geee · #181 Post by **8Geee** » Tue 21 Oct 2014, 18:29

Thats funny, mine fails to connect with "potentially vunerable handshake" supplied by the server. Using TLS1.1 or 1.2 protocol here.

BTW... I disabled/removed ssl V.C. 0.2 and editted about config to a 3 fallback 2 config. TLS1.0 not allowed. I did this because one could select ssl3.0 in the dropdown box in the preferences of the add-on. Very naughty.

Griot · #182 Post by **Griot** » Tue 21 Oct 2014, 18:39

Thanx for the link, perdido. There is only one result marked as 'improvable' with Opera 12.16. It doesn't look like THE essential option to me. AFAIK SSL3 is disabled by default in said browser.

Session Ticket Support - Improvable
Session tickets are not supported in your client. Without them, services will have a harder time making your client's connections fast. Generally, clients with ephemeral key support get this for free.

rolf · #183 Post by **rolf** » Thu 30 Oct 2014, 18:04

perdido wrote:
This site tells you which SSL/TLS you are using.

https://www.howsmyssl.com/

.

It tells me

Bad Your client is using TLS 1.0

while SSL Version Control 0.2 is set to TLS 1.2

perdido · #184 Post by **perdido** » Fri 31 Oct 2014, 01:59

rolf wrote:
perdido wrote:
This site tells you which SSL/TLS you are using.

https://www.howsmyssl.com/

.
It tells me
Bad Your client is using TLS 1.0
while SSL Version Control 0.2 is set to TLS 1.2

Mentioned on the SSL Version control download page is that FF34, FF33 reset to TLS1.0 on restart.
https://addons.mozilla.org/en-US/firefo ... l/reviews/

.

rolf · #185 Post by **rolf** » Fri 31 Oct 2014, 02:21

perdido wrote: Mentioned on the SSL Version control download page is that FF34, FF33 reset to TLS1.0 on restart.
https://addons.mozilla.org/en-US/firefo ... l/reviews/

.

I can set the Version Control preference in the dropdown to anything, restart Seamonkey, and the page at https://www.howsmyssl.com/ always tells me I'm running, TLS 1.0

I had security.tls.version.min;3 set in about:config. I can change that to anything from security.tls.version.min;1 to security.tls.version.min;4 and it makes no difference when Seamonkey is restarted.

Seamonkey 2.18 Linux x86_64

Thanks.

(old)Puppy Linux Discussion Forum

(old)Puppy Linux Discussion Forum

BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>

Oscar Talks' slacko pet good

Bash threat help

additional measures