Bash script vunerability - CVE-2014-6271


#1

Hi,

As a user of VyOS, how should we defend ourselves against all these types of vulnerabilities on the VyOS platform when the updates themselves are pretty sporadic.
When I did attempt to patch update the OS on 1.1.0beta1 a while back, dozens of errors were reported.

I just wonder what the strategy is for VyOS to stay on top of these sorts of things because if its not heartbleed or bash vulnerabilities, it will be something else.

Any thoughts?


#2

Good question.

Did anyone already patched a vyatta / vyos box for his exploit ? By which method ?


#3

And how to patch older vyatta version 6.4/6.5/6.6 ?
Could we use any debian squeeze sources?
Anyone ?


#4

This is worrisome. Two days after a serious vulnerability and not even a comment from the developers.


#5

They rarely appear in the forum.

http://blog.vyos.net/


#6

Thanks for the pointer to the blog. I hadn’t noticed that.


#7

thanks for the heads up.
I was able to update one of my VMware routers (which I use for my home router) using;

$ sudo su -
# add system image http://dev.packages.vyos.net/iso/helium/virt/VyOS-virt-livecd-1409271546-2525a0c-i386.iso

and then reboot.

In my case VyOS failed to come up properly afterwards due to the fact I had some custom patches applied, which I needed to re-apply.
Afterwards, I run some tests to see if things are ok (this is an example link showing both the first and second attack vector; http://mac-how-to.wonderhowto.com/how-to/every-mac-is-vulnerable-shellshock-bash-exploit-heres-patch-os-x-0157606/);

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
$ env X='(){(a)=>\' bash -c "echo date"; cat echo; rm -f echo

and now I can rest easy!


#8

I’ve been through about 15 Vyatta CE instances (all virtual) that were on 6.4/6.5/6.6 and migrated them all to VyOS 1.0.5 without issues.
The only problem I had was a single VM running Vyatta 6.4, that when it went through the upgrade process, for some reason created 2xadditional NICs which needed manual deletion in the /config/config.boot fille.
I also had a minor issue in that the radius configuration on one of the VMs that hooks into our corporate radius server, wasn’t carried across during the update but luckily I had build notes so was easily able to rectify.
Your best bet is to migrate all your Vyatta CE instances to VyOS 1.0.5 (or later).