[kwlug-disc] Vulnerability in bash
Hubert Chathi
hubert at uhoreg.ca
Thu Sep 25 17:47:07 EDT 2014
On Thu, 25 Sep 2014 01:05:42 -0400, "B.S." <bs27975 at yahoo.ca> said:
> Presumably, at the least, a post-update logout/login will be necessary
> on each machine, if not an entire reboot. (Care to trust that ALL
> scripts run between turn on and user prompt use sh not bash? And that
> sh hasn't been inadvertently equivalenced to bash?)
What is the attack scenario that would require you to logout/login? A
remote attacker can't access your bash that's running in your terminal,
and if they could, then they wouldn't need this vulnerability.
Basically, I'm not aware of a way that an attacker can set an
environment variable in an already-running bash without having full
control of the bash.
> Given that most of us probably have a command line up (outside of any
> GUI too!), and thus in memory. Updating will catch any new instances,
> but not those you're already in the middle of.
> I suppose this means rebooting all servers, too. <sigh?>
"ps -ef | grep bash" to see if you have any shells currently running.
If not, don't worry about rebooting. If yes, then see if you can just
kill those processes instead of rebooting.
More information about the kwlug-disc
mailing list