Win a copy of Hands On Software Engineering with Python this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Bear Bibeault
  • Knute Snortum
  • Liutauras Vilda
Sheriffs:
  • Tim Cooke
  • Devaka Cooray
  • Paul Clapham
Saloon Keepers:
  • Tim Moores
  • Frits Walraven
  • Ron McLeod
  • Ganesh Patekar
  • salvin francis
Bartenders:
  • Tim Holloway
  • Carey Brown
  • Stephan van Hulst

new security vulnerability in BASH  RSS feed

 
Bartender
Posts: 1800
28
Chrome Eclipse IDE Firefox Browser jQuery Linux MySQL Database Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Code injection attack.

This has been assigned a CVSS score of 10 (the highest possible). Contact your *nix vendor for patches.

Information from CERT.

Information from gnu.org

 
Rancher
Posts: 42974
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Mint and several other Linux distributions have already gotten a patch, but that apparently does not fix the issue entirely. Stand by for another patch.
 
Marshal
Posts: 67192
169
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
From what I understand, this is not much of a threat for personal systems that aren't running servers that the Net can connect to in order to run bash commands (such as CGI).

But yeah, if you are running servers...
 
Bartender
Posts: 1210
25
Android C++ Java Linux PHP Python
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Bear Bibeault wrote:From what I understand, this is not much of a threat for personal systems that aren't running servers that the Net can connect to in order to run bash commands (such as CGI).

But yeah, if you are running servers...



There were some interesting scenarios discussed wherein even home networks could be at risk:

- Many home router web administration pages run over CGI. If they have remote admin enabled and have bash as default shell, then routers can be compromised.

- Some PoC attacks over DHCP have been demonstrated. The idea is that if an ISP's DHCP server can be compromised by other means, then that ISP's customers can be compromised using this bash vulnerability.
 
Ulf Dittmer
Rancher
Posts: 42974
76
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

If they have remote admin enabled and have bash as default shell, then routers can be compromised.


Many of those -especially newer ones- use Busybox, though, which is not vulnerable since it does not use bash.
 
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This has a detailed explanation of what the bug is all about http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
 
Sheriff
Posts: 4583
286
Clojure IntelliJ IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ksh user smugness reaches unbearable new heights...
 
Author
Posts: 53
7
Java MySQL Database Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Jaikiran Pai wrote:This has a detailed explanation of what the bug is all about http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html



Troy (the author of the blog post) and I released a public and free mini-class on Shellshock. Here you go. http://pluralsight.com/courses/shellshock-bash-bug

 
Sheriff
Posts: 12814
211
Android Debian Eclipse IDE IntelliJ IDE Java Linux Mac Spring Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the link, Jim! I've gone through the course and I think it's very useful. Using the modified attack that you demoed in the course, I found that my OS X is still vulnerable. Ouch indeed.

Thanks to you and Troy for making this course available.
 
Ranch Hand
Posts: 182
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can a windows system be vulnerable if it uses cygwin ? I have seen this point on many news websites.
 
author & internet detective
Posts: 39054
714
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Ali Gordon wrote:Can a windows system be vulnerable if it uses cygwin ? I have seen this point on many news websites.


Yes. Cygwin has a patch for ShellShock.
 
and POOF! You're gone! But look, this tiny ad is still here:
Programmatically Create PDF Using Free Spire.PDF with Java
https://coderanch.com/wiki/703735/Programmatically-Create-PDF-Free-Spire
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!