Документ взят из кэша поисковой машины. Адрес
оригинального документа
: http://theory.sinp.msu.ru/pipermail/ru-ngi/2014q3/001414.html
Дата изменения: Tue Sep 30 06:51:27 2014 Дата индексирования: Sun Apr 10 18:02:39 2016 Кодировка: |
Коллеги, Обратите внимание на проблему bash-shell на ваших сайтах. -- А.К, -------- Original Message -------- Subject: [Noc-managers] URGENT: security update for "shellshock" Date: Mon, 29 Sep 2014 14:47:19 +0200 From: Leif Nixon <nixon at nsc.liu.se> To: noc-managers at mailman.egi.eu CC: csirt at mailman.egi.eu Dear all, Please refer to the just issued advisory below about a MANDATORY CRITICAL security update for the "shellshock" vulnerability. It is very important that all affected systems are updated immediately. This not only includes compute clusters, but also web servers, mail servers, laptops and desktops, and so on. Currently, the following sites appear to not have installed the latest security update for bash (reservations for any false positives due to local customized packages, etc): .... Russia - JINR-LCG2 Russia - RRC-KI Russia - RU-SPbSU .... -- Leif Nixon - Security officer National Supercomputer Centre - Swedish National Infrastructure for Computing Nordic Data Grid Facility - European Grid Infrastructure -- A.Kryukov, PhD Head of laboratory, SINP MSU Phone: +7 495 939-3156 -------------- next part -------------- ** WHITE information - unlimited distribution ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** Title: URGENT: Update 1: EGI CSIRT 'CRITICAL' Risk - 'shellshock' vulnerability - arbitrary code execution via crafted environment variables Date: 2014-09-29 Updated This advisory will be placed on the public wiki at: URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Shellshock-2014-09-29 Introduction ============ Multiple vulnerabilities that allows malicious user to run arbitrary code with the privileges of victim that runs Bash scripts was found in Bourne Again Shell (bash). This has been called the 'shellshock' vulnerability and has been widely publicised. NOTE: EGI CSIRT issued an initial advisory about shellshock on September 26, but since then additional problems and vulnerabilities have been discovered. All running resources MUST be either patched or otherwise have a work-around in place by 2014-10-03T21:00+01:00. Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. Details ======= A specially constructed environment variable that contains a function definition and trailing executable statements will make bash execute this code at the point of script initialization. This vulnerability was assigned CVE-2014-6271 and is assessed CRITICAL by EGI CSIRT. The initial patches issued by vendors like Red Hat and Ubuntu have unfortunately been shown to be incomplete, and multiple additional weaknesses allowing an attacker to trigger unintended code execution have been found. The most serious of these is CVE-2014-6278, which is assessed CRITICAL by EGI CSIRT. There is a wide range of vectors that can be used to trigger the shellshock vulnerabilities, including - but not limited to - batch systems like Torque and Slurm, web cgi scripts and mail filters like procmail. Various exploits are publically available and are currently being used on a massive scale by many groups of attackers. Component installation information ================================== To fully patch the vulnerabilities, sites must immediately install the latest bash updates: For Red Hat-type systems, these are the versions to update to: - Enterprise Linux 7 - bash-4.2.45-5.el7_0.4 - Enterprise Linux 6 - bash-4.1.2-15.el6_5.2 - Enterprise Linux 5 - bash-3.2-33.el5_11.4 - Enterprise Linux 4 - bash-3.0-27.el4.4 For Ubuntu, these are the versions to update to: - Ubuntu 14.04 LTS - bash 4.3-7ubuntu1.4 - Ubuntu 12.04 LTS - bash 4.2-2ubuntu2.5 - Ubuntu 10.04 LTS - bash 4.1-2ubuntu3.4 Compatibility notes =================== The latest bash update packages unavoidably break backward compatibility for bash function export. This can cause problems for certain software. In particular, the TCL modules system wants to export a function called "module". This was previously stored in a variable called "module", but with the latest bash patches it needs to be called "BASH_FUNC_module" instead - there is a separate name space for functions. Thus, if your site depends on TCL modules, it is important to coordinate updates of bash and modules so that compatible versions are used. Remember that you may have queued jobs that expect the old bash syntax and will break with the updated bash. Depending on your specific local environment, it may be possible to patch queued jobs in place to use the new bash syntax. Mitigation ========== Due to the wide variety of vectors to trigger shellshock, EGI CSIRT does not consider mitigation efforts a viable approach. Credits ======= The initial vulnerability was discovered by Stephane Chazelas (and named by Andreas Lindh). Additional vulnerabilites have been discovered by Florian Weimer, Michal Zalewski and Todd Sabin. References ========== Red Hat support article: https://access.redhat.com/articles/1200223 Red Hat errata notice: https://rhn.redhat.com/errata/RHSA-2014-1306.html Ubuntu security notice: http://www.ubuntu.com/usn/usn-2364-1/ Zalewski blog entry announcing CVE-2014-6278: http://lcamtuf.blogspot.se/2014/09/bash-bug-apply-unofficial-patch-now.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Attached Message Part Type: application/pgp-signature Size: 172 bytes Desc: not available URL: <http://theory.sinp.msu.ru/pipermail/ru-ngi/attachments/20140929/6558b7b3/attachment.sig> -------------- next part -------------- _______________________________________________ Noc-managers mailing list Noc-managers at mailman.egi.eu https://mailman.egi.eu/mailman/listinfo/noc-managers