"Shellshock" bash bug
Teo En Ming
singapore.mr.teo.en.ming at gmail.com
Fri Sep 26 22:24:25 UTC 2014
On 27/09/2014 05:57, Rashkae wrote:
> On 14-09-26 05:50 PM, Colin Law wrote:
>>
>> It is a sheeva plug computer with an Arm processor. Jaunty was the
>> last ubuntu version that supported the chip.
>>
>> It seems however that my initial assumption is correct, that if they
>> cannot login as they do not have the key then they cannot exploit the
>> vulnerability.
>>
>> If someone manages to crack the key and login then the vulnerability
>> is the least of my worries I think.
>>
>> Colin
>>
>
> As far as ssh goes, that is correct, your attack surface there is
> pretty small, but you have to be careful about anything else, such as
> web cgi scripts, or even a default install of Apache, which can try to
> fork a process with bash. Also, dhcpclient is vulnerable, if the
> computer ever tries to get a dhcp address from a a bad dhcp server.
>
>
But dhcp server is usually on a router. I think the hacker would have to
hack the router to plant a bad dhcp server there. But then any
Linux-based router is also vulnerable to the shellshock bash bug.
--
Yours sincerely,
Teo En Ming
Singapore
More information about the ubuntu-users
mailing list