• Post Reply Bookmark Topic Watch Topic
  • New Topic

new security vulnerability in BASH  RSS feed

 
J. Kevin Robbins
Bartender
Posts: 1801
28
Chrome Eclipse IDE Firefox Browser jQuery Linux MySQL Database Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Code injection attack.

This has been assigned a CVSS score of 10 (the highest possible). Contact your *nix vendor for patches.

Information from CERT.

Information from gnu.org

 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Mint and several other Linux distributions have already gotten a patch, but that apparently does not fix the issue entirely. Stand by for another patch.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66306
152
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
From what I understand, this is not much of a threat for personal systems that aren't running servers that the Net can connect to in order to run bash commands (such as CGI).

But yeah, if you are running servers...
 
Karthik Shiraly
Bartender
Posts: 1210
25
Android C++ Java Linux PHP Python
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:From what I understand, this is not much of a threat for personal systems that aren't running servers that the Net can connect to in order to run bash commands (such as CGI).

But yeah, if you are running servers...


There were some interesting scenarios discussed wherein even home networks could be at risk:

- Many home router web administration pages run over CGI. If they have remote admin enabled and have bash as default shell, then routers can be compromised.

- Some PoC attacks over DHCP have been demonstrated. The idea is that if an ISP's DHCP server can be compromised by other means, then that ISP's customers can be compromised using this bash vulnerability.
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If they have remote admin enabled and have bash as default shell, then routers can be compromised.

Many of those -especially newer ones- use Busybox, though, which is not vulnerable since it does not use bash.
 
Jaikiran Pai
Sheriff
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This has a detailed explanation of what the bug is all about http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
 
Tim Cooke
Marshal
Posts: 4044
239
Clojure IntelliJ IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ksh user smugness reaches unbearable new heights...
 
Jim Manico
Author
Ranch Hand
Posts: 53
7
Java MySQL Database Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jaikiran Pai wrote:This has a detailed explanation of what the bug is all about http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html


Troy (the author of the blog post) and I released a public and free mini-class on Shellshock. Here you go. http://pluralsight.com/courses/shellshock-bash-bug

 
Junilu Lacar
Sheriff
Posts: 11489
180
Android Debian Eclipse IDE IntelliJ IDE Java Linux Mac Spring Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the link, Jim! I've gone through the course and I think it's very useful. Using the modified attack that you demoed in the course, I found that my OS X is still vulnerable. Ouch indeed.

Thanks to you and Troy for making this course available.
 
Ali Gordon
Ranch Hand
Posts: 182
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can a windows system be vulnerable if it uses cygwin ? I have seen this point on many news websites.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 37469
539
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ali Gordon wrote:Can a windows system be vulnerable if it uses cygwin ? I have seen this point on many news websites.

Yes. Cygwin has a patch for ShellShock.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!