[PLUG] cross-platform bash vulnerability widespread
King Beowulf
kingbeowulf at gmail.com
Fri Sep 26 19:09:57 UTC 2014
On 09/25/2014 09:06 AM, Damo Gets wrote:
> I would strongly recommend visiting the following link:
> http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
>
> Long story short, if you can execute this shell command:
>
> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>
> and receive a successful execution (giving you the output:
> 'vulnerable\nthis is a test', then you are vulnerable to the bash
> exploit that's just been discovered.
>
> I was pretty surprised to realize that even my OpenBSD machine,
> running bash only from an outside package from the ports collection to
> keep my luddite users happy was vulnerable to this exploit. It's a
> pretty serious concern; this is not limited to just Linux. Any *NIX
> machine is vulnerable. Hell, probably even cygwin. I just tested a
> hackintosh running OS/X and it's vulnerable there, too. :P
>
> Heads up, sys- & net- admins.
>
The 2 security patches released this week have plugged the most serious
security holes. Check to make sure you updated both.
I've checked my hobby server and it's been getting hit pretty hard the
last 2+ days - even before the patches. However, no joy for the
attackers. I'd already locked down ssh, and don't run CGI scripts.
Of course, don't forget t keep an eye on your ssh/sshd, Apache web
server, dhcp client, etc updates.
-Ed
More information about the PLUG
mailing list