[kwlug-disc] Vulnerability in bash

Fernando Duran liberosec at yahoo.ca
Thu Sep 25 09:43:52 EDT 2014 

Oh dear, this is going to be worse than Heartbleed.

I saw this yesterday and I'm terrified, for ex see this guy very easily making a remote server execute arbitrary commands (in this case just a ping): http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html

More analysis today: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

sigh

--------------------- 
Fernando Duran 
http://www.fduran.com


On Thursday, September 25, 2014 9:36 AM, Khalid Baheyeldin <kb at 2bits.com> wrote:


>
>
>The test for the vulnerability is typing this in a bash shell:
>
>env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>
>
>If you get just "this is a test" with some warnings, then you are not vulnerable.
>If you get "vulnerable" as part of the output, then you are.
>
>Like many who run a Debian based distro, I use apticron to get email notifications of updates to the exact packages that I have installed. I got notified yesterday noon-ish of the update and got it installed.
>
>I did not need to reboot nor start the shells I have open in screen. The output of the test above says I am not vulnerable, but I did not do a before and after on the same machine (although a pristine virtual image does show it is vulnerable).
>
>
>So, don't think a shell restart is necessary based on the tests above. How is this done? I don't know. There are no shared libraries included in the package (dpkg -L bash).
>
>
>
>On Thu, Sep 25, 2014 at 1:05 AM, B.S. <bs27975 at yahoo.ca> wrote:
>
>On Wed, 24 Sep 2014 23:21:57 -0400
>>"L.D. Paniak" <ldpaniak at fourpisolutions.com> wrote:
>>
>>> The list should be aware of a newly-announced and particularly nasty
>>> parsing bug with all versions of bash:
>>>
>>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
>>>
>>> The combination of "network exploitable" and "authentication not
>>> required"  make this a "10" on the severity scale.
>>>
>>> Updated packages for current versions of Ubuntu look to have been
>>> pushed out earlier today:
>>> https://launchpad.net/ubuntu/+source/bash
>>
>>Presumably, at the least, a post-update logout/login will be necessary
>>on each machine, if not an entire reboot. (Care to trust that ALL
>>scripts run between turn on and user prompt use sh not bash? And that
>>sh hasn't been inadvertently equivalenced to bash?)
>>
>>Given that most of us probably have a command line up (outside of any
>>GUI too!), and thus in memory. Updating will catch any new instances,
>>but not those you're already in the middle of.
>>
>>I suppose this means rebooting all servers, too. <sigh?>
>>
>>I wonder if we should expect to see some further script updates to
>>follow. i.e. 'Inadvertent' taking advantage of 'hole' for non-nefarious
>>purposes now needing tweaking due to the update. (e.g. Things becoming
>>broken, albeit things originally written with the best of intentions.)
>>
>>
>>
>>_______________________________________________
>>kwlug-disc mailing list
>>kwlug-disc at kwlug.org
>>http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
>
>
>-- 
>Khalid M. Baheyeldin
>2bits.com, Inc.
>Fast Reliable Drupal
>Drupal optimization, development, customization and consulting.
>Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
>Simplicity is the ultimate sophistication. --   Leonardo da Vinci
>For every complex problem, there is an answer that is clear, simple, and wrong." -- H.L. Mencken
>
>
>_______________________________________________
>kwlug-disc mailing list
>kwlug-disc at kwlug.org
>http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>
>

More information about the kwlug-disc mailing list