Diferencia entre revisiones de «Shellshock bash security update»
(Página creada con «{{en español |Shellshock_(actualización_de_seguridad_en_bash)}}») |
|||
(No se muestran 7 ediciones intermedias de 3 usuarios) | |||
Línea 1: | Línea 1: | ||
{{en español |Shellshock_(actualización_de_seguridad_en_bash)}} | {{en español |Shellshock_(actualización_de_seguridad_en_bash)}} | ||
+ | |||
+ | |||
+ | This problem is originated in the way Bash interpreter evaluates environment variables. The result is that an attacker may use this vulnerability to bypass environment restrictions and thus being able to execute shell commands from Bash in an indiscriminate way. This problem has arisen into a related vulnerability called "Shellshock". | ||
+ | |||
+ | The biggest problem is that certain services and applications grant access to these environment variables and thus allow the vulnerability exploitation from within those applications and services. Thats it, it is not necessary to have direct access to the command line, terminal or SSH in order to exploit this vulnerability. | ||
+ | |||
+ | As a result, it is very important to update Bash version as soon as possible with the one including the patch resolving the bug. It is very easy: just follow these updates through yum or apt depending on the system: | ||
+ | |||
+ | == How to determine if my server is vulnerable against this vulnerability? == | ||
+ | |||
+ | To detect if your servers has a version of Bash suffering this security flaw, you can connect to your server through SSH and execute: | ||
+ | |||
+ | env x='() { :;}; echo Vulnerable' bash -c /bin/true | ||
+ | |||
+ | If it is vulnerable, the standard output of this commando will return the word 'Vulnerable'. | ||
+ | |||
+ | Otherwise, if it is not vulnerable, the above command will return nothing. | ||
+ | |||
+ | ==How to secure my server against this security vulnerability if my server affected?== | ||
+ | |||
+ | You have to access your server through SSH as root and run the following commands, depending on your Linux distribution. | ||
+ | |||
+ | === Debian and derivative (Ubuntu, etc) === | ||
+ | |||
+ | * If you want to know your Debian version, run: | ||
+ | |||
+ | cat /etc/debian_version | ||
+ | |||
+ | ====Fix “Shellshock” on Debian 7 and Ubuntu==== | ||
+ | |||
+ | apt-get update | ||
+ | apt-get --only-upgrade install bash | ||
+ | |||
+ | ====Fix “Shellshock” on Debian 6==== | ||
+ | |||
+ | To update Bash on Debian 6, you first have to add an apt repository. | ||
+ | |||
+ | You have to edit this file: | ||
+ | |||
+ | /etc/apt/sources.list | ||
+ | |||
+ | And add this line under the last line on that file: | ||
+ | |||
+ | deb http://ftp.us.debian.org/debian squeeze-lts main non-free contrib | ||
+ | |||
+ | Once the repository is added, follow the [[#Fix_“Shellshock”_on_Debian_7_and_Ubuntu|steps to securize Debian 7]]. | ||
+ | |||
+ | Finally , remove the repository by removing the line that you added previously to sources.list file. | ||
+ | |||
+ | * If your Debian version has an error like this when doing "apt-get update": | ||
+ | W: GPG error: http://ftp.us.debian.org squeeze-lts Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY XXXX | ||
+ | |||
+ | It is as easy as running: | ||
+ | |||
+ | gpg --keyserver pgpkeys.mit.edu --recv-key XXXX | ||
+ | gpg -a --export XXXX | apt-key add - | ||
+ | |||
+ | Remember to replace XXXX by the id appeared in the error. | ||
+ | |||
+ | ===Fix “Shellshock” on CentOS, RHEL, Fedora, Scientific Linux=== | ||
+ | |||
+ | yum update bash | ||
+ | |||
+ | |||
+ | |||
+ | '''''Whith these operations your server will be protected against this security failure. | ||
+ | |||
+ | {{support}} | ||
+ | |||
+ | |||
+ | [[Categoría:Linux_tutorials]] | ||
+ | [[Categoría:Account_System]] |
Revisión actual del 17:40 20 abr 2021
This problem is originated in the way Bash interpreter evaluates environment variables. The result is that an attacker may use this vulnerability to bypass environment restrictions and thus being able to execute shell commands from Bash in an indiscriminate way. This problem has arisen into a related vulnerability called "Shellshock".
The biggest problem is that certain services and applications grant access to these environment variables and thus allow the vulnerability exploitation from within those applications and services. Thats it, it is not necessary to have direct access to the command line, terminal or SSH in order to exploit this vulnerability.
As a result, it is very important to update Bash version as soon as possible with the one including the patch resolving the bug. It is very easy: just follow these updates through yum or apt depending on the system:
Contenido
How to determine if my server is vulnerable against this vulnerability?
To detect if your servers has a version of Bash suffering this security flaw, you can connect to your server through SSH and execute:
env x='() { :;}; echo Vulnerable' bash -c /bin/true
If it is vulnerable, the standard output of this commando will return the word 'Vulnerable'.
Otherwise, if it is not vulnerable, the above command will return nothing.
How to secure my server against this security vulnerability if my server affected?
You have to access your server through SSH as root and run the following commands, depending on your Linux distribution.
Debian and derivative (Ubuntu, etc)
- If you want to know your Debian version, run:
cat /etc/debian_version
Fix “Shellshock” on Debian 7 and Ubuntu
apt-get update apt-get --only-upgrade install bash
Fix “Shellshock” on Debian 6
To update Bash on Debian 6, you first have to add an apt repository.
You have to edit this file:
/etc/apt/sources.list
And add this line under the last line on that file:
deb http://ftp.us.debian.org/debian squeeze-lts main non-free contrib
Once the repository is added, follow the steps to securize Debian 7.
Finally , remove the repository by removing the line that you added previously to sources.list file.
- If your Debian version has an error like this when doing "apt-get update":
W: GPG error: http://ftp.us.debian.org squeeze-lts Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY XXXX
It is as easy as running:
gpg --keyserver pgpkeys.mit.edu --recv-key XXXX gpg -a --export XXXX | apt-key add -
Remember to replace XXXX by the id appeared in the error.
Fix “Shellshock” on CentOS, RHEL, Fedora, Scientific Linux
yum update bash
Whith these operations your server will be protected against this security failure.