D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Bash bug - part 2 - Shellshock - aftershock?

 

On Fri, 26 Sep 2014, Adrian Midgley wrote:

I slightly wonder about the ISP's cable router.  Virgin's blue-glowing superhub.

I also need to patch an old server that is running Wheezy.  Has anyone
seen a precompiled bash for Wheezy yet?

Wheezy is current and a patch has been released.

I have servers running Woody, Sarge, Etch, Lenny as well as Squeeze... Fortunately the older ones are running dedicated well-defined applications that I've checked for vulnerabilities and they're fine.

Gordon





On 26 September 2014 10:12, Simon Waters <simon@xxxxxxxxxxxxxx> wrote:
As those who read the Redhat bug report on the 24th will know - the
first patch for Bash was incomplete.

You need to have installed a Bash patch today (or overnight if you are
my Debian boxes) as well.

2014-09-25 04:34:58 status installed bash:i386 4.2+dfsg-0.1+deb7u1
2014-09-26 04:47:18 status installed bash:i386 4.2+dfsg-0.1+deb7u3

u2? Apple probably gave it away?

Realistically Bash has a manually written parser, this may not be the
the last such issue.

Switching to a simpler shell for things might be a plausible approach to
reduce risk. Although I haven't established if dash has a manually
written parser. Anyone know? Any recommendations (Bad Apple, Martyn?).

Also avoid shelling out, particularly from web applications, when you
can exec a program directly, to side step shells entirely. I know I
wrote some 10 lines ENV stuff for Apache in a previous role, although
hopefully it is all "dash" as it is on Debian.

The second vulnerability might also affect zsh according to one
contributor to the Redhat bug report.

Patch again, take stock, do things differently going forward.

So far only exploitable vulnerability we've found in our stuff was the
really expensive proprietary load balancer, and that required you to be
an authenticated user, but that is mostly luck and a lot of Java (which
tends not to do the shelling out, and if it does sticks it behind layers
and layers of code. I suspect also that we've been patching more than
looking.

I have some cool web testing tools sorted to find if it is exploitable,
but patch and it won't work.

--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq



--
Adrian Midgley   http://www.defoam.net/

--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq


--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq