"Shellshock" bash bug

Teo En Ming singapore.mr.teo.en.ming at gmail.com
Fri Sep 26 22:24:25 UTC 2014


On 27/09/2014 05:57, Rashkae wrote:
> On 14-09-26 05:50 PM, Colin Law wrote:
>>
>> It is a sheeva plug computer with an Arm processor.  Jaunty was the
>> last ubuntu version that supported the chip.
>>
>> It seems however that my initial assumption is correct, that if they
>> cannot login as they do not have the key then they cannot exploit the
>> vulnerability.
>>
>> If someone manages to crack the key and login then the vulnerability
>> is the least of my worries I think.
>>
>> Colin
>>
>
> As far as ssh goes, that is correct, your attack surface there is 
> pretty small, but you have to be careful about anything else, such as 
> web cgi scripts, or even a default install of Apache, which can try to 
> fork a process with bash.  Also, dhcpclient is vulnerable, if the 
> computer ever tries to get a dhcp address from a a bad dhcp server.
>
>

But dhcp server is usually on a router. I think the hacker would have to 
hack the router to plant a bad dhcp server there. But then any 
Linux-based router is also vulnerable to the shellshock bash bug.

-- 
Yours sincerely,

Teo En Ming
Singapore





More information about the ubuntu-users mailing list