• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Liutauras Vilda
  • Campbell Ritchie
  • Tim Cooke
  • Bear Bibeault
  • Devaka Cooray
Sheriffs:
  • Jeanne Boyarsky
  • Knute Snortum
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Ganesh Patekar
  • Stephan van Hulst
  • Pete Letkeman
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Ron McLeod
  • Vijitha Kumara

new security vulnerability in BASH  RSS feed

 
Bartender
Posts: 1801
28
Chrome Eclipse IDE Firefox Browser jQuery Linux MySQL Database Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Code injection attack.

This has been assigned a CVSS score of 10 (the highest possible). Contact your *nix vendor for patches.

Information from CERT.

Information from gnu.org

 
Rancher
Posts: 42975
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Mint and several other Linux distributions have already gotten a patch, but that apparently does not fix the issue entirely. Stand by for another patch.
 
Author and ninkuma
Marshal
Posts: 66806
168
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
From what I understand, this is not much of a threat for personal systems that aren't running servers that the Net can connect to in order to run bash commands (such as CGI).

But yeah, if you are running servers...
 
Bartender
Posts: 1210
25
Android C++ Java Linux PHP Python
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Bear Bibeault wrote:From what I understand, this is not much of a threat for personal systems that aren't running servers that the Net can connect to in order to run bash commands (such as CGI).

But yeah, if you are running servers...



There were some interesting scenarios discussed wherein even home networks could be at risk:

- Many home router web administration pages run over CGI. If they have remote admin enabled and have bash as default shell, then routers can be compromised.

- Some PoC attacks over DHCP have been demonstrated. The idea is that if an ISP's DHCP server can be compromised by other means, then that ISP's customers can be compromised using this bash vulnerability.
 
Ulf Dittmer
Rancher
Posts: 42975
76
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

If they have remote admin enabled and have bash as default shell, then routers can be compromised.


Many of those -especially newer ones- use Busybox, though, which is not vulnerable since it does not use bash.
 
Sheriff
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This has a detailed explanation of what the bug is all about http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
 
Marshal
Posts: 4465
284
Clojure IntelliJ IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ksh user smugness reaches unbearable new heights...
 
Author
Ranch Hand
Posts: 53
7
Java MySQL Database Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Jaikiran Pai wrote:This has a detailed explanation of what the bug is all about http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html



Troy (the author of the blog post) and I released a public and free mini-class on Shellshock. Here you go. http://pluralsight.com/courses/shellshock-bash-bug

 
Sheriff
Posts: 12344
201
Android Debian Eclipse IDE IntelliJ IDE Java Linux Mac Spring Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the link, Jim! I've gone through the course and I think it's very useful. Using the modified attack that you demoed in the course, I found that my OS X is still vulnerable. Ouch indeed.

Thanks to you and Troy for making this course available.
 
Ranch Hand
Posts: 182
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can a windows system be vulnerable if it uses cygwin ? I have seen this point on many news websites.
 
author & internet detective
Sheriff
Posts: 38569
659
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Ali Gordon wrote:Can a windows system be vulnerable if it uses cygwin ? I have seen this point on many news websites.


Yes. Cygwin has a patch for ShellShock.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!