[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Fri, 26 Sep 2014, Martijn Grooten wrote:
On Fri, Sep 26, 2014 at 09:39:41AM +0100, Gordon Henderson wrote:So on the surface home PCs, etc. are fine - no need to wory about them for now.I'm at a conference at the moment so I've not read up on all the details, though I've spoken about it to many people (it's a security conference). It seems some DHCP clients are vulnerable. So for some fairly broad version of "etc.", you can get root access on them if you're on the same WiFi network. So that does sound like something to worry about.
The DHCP part relies on several things happening - the first is that someone sets up a Wi-Fi access point that has the potential to inject the vulnerability and another is that you then use that access point, and that you're running a DHCP client that parses a shell script...
A starting point would be making sure your mobile devices don't automatically connect to open Wi-Fi access points.
This may be an issue if you're out and about - hopefully not at home.And I have seen a DHCP server written in Perl that can inject a vulnerability.
People have compared it with Heartbleed, where the attack was easy to execute. This is more tricky, but the number of ways you could exploit this is much bigger. With Heartbleed, if you couldn't patch, you could probably fend off attacks on the firewall - here I would be less confident such a thing is possible.
For web access you can validate every single URL that gets sent to the real web server before it hits the real server. Such devices exist - usually aimed at the slightly bigger user. Lets hope they themselves don't use bash as part of their processing!
Gordon -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq