Bash Exploit

Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169)
https://access.redhat.com/node/1200223

Well I read this article whilst I was at work. Upon getting home I started up my Fedora machine and ran the following check to see if I was vulnerable.

To test if your version of Bash is vulnerable to this issue, run the following command:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output of the above command looks as follows:

vulnerable
this is a test

you are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

I was vulnerable. But that is what I expected. Knowing that the fix might take a little time I added the suggested workaround to my firewall script.

Workaround: Using IPTables:

A note on using IPTables string matching:

iptables using -m string --hex-string '|28 29 20 7B|'

Is not a good option because the attacker can easily send one or two characters per packet and avoid this signature easily. However, it may provide an overview of automated attempts at exploiting this vulnerability.

In full knowledge that this vulnerability was/is going to get exploited I was monitoring my firewall logs. I had set the rules to log and drop the packets. Note that the work around says it can be bypassed. A couple of hours with the rule in place and nothing unusuall was being logged and I was carrying on as normal. All of a sudden 4-5 packets were caught by the rule. My system was shutdown seconds later. I susspect that this is some opportunistic scanning taking place, however I am not taking any chances until a patch is ready.

On the plus side it has given me the opportunity to boot and update my Windows machine.

Keeping My Hat On

In my previous post I outlined my thinking about moving from Fedora to OpenSuse. I installed OpenSuse 12.3 onto mylaptop and had a play about. The installer was clean and easy to use and everything was setup with the minimum of effort.

Two issues with Fedora prompting a move were the control over the firewall and the Arduino software not being up to date. I was disappointed to that the installation of the Arduino software didn't come with a desktop icon setup but the latest version was there to use. Now onto the firewall; things were not good.

OpenSuse has completely removed the iptables scripts for managing the firewall. It seems you will use their firewall daemon and associated setup program. So basically the future looks like I will be being forced into using a wrapper of some sort around the iptables rules for my firewall. What's more, after doing some reading it would appear that more applications will rely on this dynamic functionality in the future. So what do I do? I can, on Fedora at least, use my existing script in the short term but need to migrate it. Alternatively I can change distro, waiting a little longer for the inevitable push towards dynamic firewalls.

Where does this leave me now then? I'm thinking of staying with Fedora at the moment. Fedora 19 will be due out in around 3-4 months time. At this point I think a clean installation of my main machine will probably be in order. In the mean time I can work on migrating my current firewall script over to the Firewalld system. It will mean I have to manually install the latest Arduino software but that is at least a manageable task.

OpenSuse was removed from the laptop and Fedora 18 reinstalled. A clean installation does appear to have changed a few things. A series of upgrades over the years had left a few legacy options it seems. The Fedora installer was not as user friendly as the OpenSuse installer, especially when it came to creating the dual boot with Windows on a separate hard disk. That said it did install and I'm sure it will improve in the future.

Going Gecko

Using Linux has always presented me with a lot of choice as to how I want to use it and how it can work for me. I started my Linux journey with Gentoo and stayed with it for many years. But over time I found it didn't fit with my workflow, it was fun to use and I learnt a lot but it required hands on tweaking.

I took the plunge and moved over to Fedora. Not having to compile software at install time or rebuild a lot of packages when a library changed was easier and has saved me time not having to go through packages that failed to compile. Fedora has been a stable system; well it is about a month after a big version update. Having a stable system has allowed me to use the system for actual work. But this stability has also brought a few problems. Stable packages are not always the newest. System packages this isn't a problem with as it's the solid foundation for everything else to run on. But the applications like Libre Office and in my case the Arduino IDE are not guaranteed to be up to date.

The Arduino IDE is in the Fedora repos, it is however 2 releases out of date. I have been trying to use it and have found myself struggling against a few bugs that I know to be fixed in a later version. Looking at the bug tracker for Fedora the version bump has been noted. If the package was in the testing repo allowing me to install the later version at my own risk I would be happy. But it isn't. The alternative option is for me to manually download and install the software. I have no objection to doing this, I often do it for software that is not in a repo. But it is irritating that a package that is in the repo is not keeping pace with upstream even as an unstable package.

The next irritation from Fedora is experimental improvements that make it into a release. Fedora 18 updated my machine with Firewalld, this is a daemon to run a dynamic firewall. This is all well and good but I had written my own firewall script and whilst I like some of the ideas that Firewalld brings I don't feel it should have been forced upon me. Firewalld is a Fedora project and reading up on it development is still ongoing and features being added. I am not happy about placing my faith in this package for security until it has matured. I am all for newer versions of existing packages but not radical changes like this. Fedora was also the first distro to use Gnome 3. The initial release was basic to say the least but it has improved over time. I get the feeling that it is possible to be too near the cutting edge for comfort.

So where does this leave me? Well one options is to go back to Gentoo. What is stopping me doing so at the moment is the changes going on in the background of several distros. Systemd is becoming the standard init system replacing a legacy system. Most distros have moved over to this as a default. The two which don't have this as a default are Gentoo and Debian. Gentoo does support it but this would require some tweaking which I was wanting to get away from. It also rules out Debian.

I had considered Arch Linux. Whilst it seemed to offer the flexibility of Gentoo without the compilation it was not without issues. Certain packages would install without all the dependencies, if I can't guarantee that then its another distro to avoid for a desktop. I'm not ruling out Arch for a very minimal server/netbook installation but for day to day desktop it's not for me.

Linux Mint is an option but it is based upon Debian. Whilst this is not a bad thing I prefer a distro to have it's own base and not be reliant on another distro. Ubuntu is a no go area, it has changed focus to be a testing ground for new ideas and I don't like the direction Canonical are taking it. Mageia has had more uncertainty over the years than I care to remember so it's out. Slackware is a no as its not a Gnome supporting distro. CentOS & Scientific Linux are based off RHEL & Fedora so they are out. So out of the big distros I am left with OpenSuse.

What is there to like about OpenSuse? Well on the face of it quite a bit. One thing that bugged me about Fedora was the fact it's forms were independent of the distro. Gentoo has an integrated community which I liked and OpenSuse seems to have the same. Trying to navigate the Fedora website was a pain. I found myself stumbling over project procedures and guidelines rather than the support and guides which I wanted to refer to. The OpenSuse website by contrast has a link to the forums on the main page and seems more navigable in general.

OpenSuse has better options for software, it makes it easy to search for software in various repos and select stable/unstable packages. The support from forms and wiki appear easy to access. Ultimately OpenSuse may not be as bleeding edge as Fedora but my current experiences suggest this isn't a bad thing. OpenSuse 12.3 is to be released in the next 24 hours. Time to give it a go.

Windows Vista – Still Crap

In the past few weeks I purchased some new Anti-virus and Firewall software from ESET to replace my expiring & bloated AVG install. The first machine to get the upgrade was my XP desktop machine; everything went well. I was impressed with the lighter feel to the software and the added fact that it didn't seem to be hogging the system resources quite as much. A weeks trial later I decided it was stable and usable enough to be used on my laptop; running Windows Vista. The install was painless and the software scanned my system and there were no obvious issues.

The problems arose when I came to reboot the machine following some windows updates and some minor web application updates. Continue reading "Windows Vista – Still Crap"

Never Blindly Copy Code

I have been developing my own iptables firewall scripts for my Linux machines. On the whole the process has been going quite well. Part of my research into the firewall rules involved buying a few reference books, one of which contained what claimed to be a very secure script. I copied the base rules over to use as a base to add my own rules to and things have progressed very well.

Today I was going through the code trying to open some ports for another service when I noticed an anomoly; one of the rules I had copied was badly wrong. I went back to the book to compare what was listed; I was expecting to have made a typo. I found the book listed the flawed code in its main script but earlier in book it was used in its intended context. Had I not gained a sufficient understanding of the iptables rules and how they fit together I would not have noticed this error. It is worrying to think it has been exposing my machines to uncessesary danger. A few quick ammendments and all my machines are once again secure. The added bonus of the correction was that it removed some of the extra packets being logged and dropped by the firewall.

I will be very careful of what I copy from reference books from now on. I will also be paying much more attention to my firewall scripts in general to ensure I keep the rules sensible and secure.