<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<div class="moz-cite-prefix">On 09/25/2014 10:52 AM, Chris Irwin
wrote:<br>
</div>
<blockquote
cite="mid:CAH++cintyKCqwM4fACg6xqKzoizUbyFTBJN3zX6VH7VgLoZFsQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Thu, Sep 25, 2014 at 1:05 AM, B.S.
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:bs27975@yahoo.ca" target="_blank">bs27975@yahoo.ca</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div class="">
<div class="h5">
<br>
</div>
</div>
Presumably, at the least, a post-update logout/login will
be necessary<br>
on each machine, if not an entire reboot. (Care to trust
that ALL<br>
scripts run between turn on and user prompt use sh not
bash? And that<br>
sh hasn't been inadvertently equivalenced to bash?)<br>
<br>
Given that most of us probably have a command line up
(outside of any<br>
GUI too!), and thus in memory. Updating will catch any new
instances,<br>
but not those you're already in the middle of.<br>
<br>
I suppose this means rebooting all servers, too.
<sigh?><br>
</blockquote>
<div><br>
</div>
<div>Rebooting is not necessary. The exploit is only
possible when invoking bash provided you can set it's
environment (for example: By crafting a user-agent for a
bash cgi script). Already running bash processes are not
exploitable.<br>
<div><br>
cirwin@irwin03:~ $ env x='() { :;}; echo vulnerable'
bash -c "echo this is a test"<br>
vulnerable<br>
this is a test<br>
cirwin@irwin03:~ $ sudo yum upgrade bash<br>
[...]<br>
cirwin@irwin03:~ $ env x='() { :;}; echo vulnerable'
bash -c "echo this is a test"<br>
bash: warning: x: ignoring function definition attempt<br>
bash: error importing function definition for `x'<br>
this is a test<br>
<br>
</div>
<div>It makes sense that you don't need to close the
terminal. The vulnerability is environment poisoning
before invoking bash -- the test in this thread invokes
a new bash process, for example. So in theory, your
running bash sessions were either already exploited, or
effectively safe.<br>
</div>
<div><br>
</div>
<div>Interestingly, needs-restarting reported no services
or processes that should be restarted.<br>
</div>
<div><br>
cirwin@irwin03:~ $ sudo needs-restarting <br>
cirwin@irwin03:~ $ <br>
<br>
</div>
Although `lsof` reports my four bash shells, and the
ksmtuned service that are using obsolete bash shells
(though again, they can't be exploited once running) . Not
sure why needs-restarting misses that unless there is some
criteria that wasn't met.<br>
<br>
cirwin@irwin03:~ $ sudo lsof | grep DEL | grep bash<br>
ksmtuned 707 root DEL REG
0,33 371203 /usr/bin/bash;54241eb1<br>
bash 28791 cirwin DEL REG
0,33 371203 /usr/bin/bash;54241eb1<br>
bash 28859 cirwin DEL REG
0,33 371203 /usr/bin/bash;54241eb1<br>
bash 29091 cirwin DEL REG
0,33 371203 /usr/bin/bash;54241eb1<br>
bash 29151 cirwin DEL REG
0,33 371203 /usr/bin/bash;54241eb1<br>
<br>
</div>
</div>
<br>
-- <br>
<div dir="ltr">Chris Irwin<br>
<<a moz-do-not-send="true"
href="mailto:chris@chrisirwin.ca" target="_blank">chris@chrisirwin.ca</a>></div>
</div>
</div>
<br>
</blockquote>
Thanks Chris! That really clears up questions I had on this issue.<br>
<br>
<br>
</body>
</html>