"Shellshock" bash bug
Colin Law
clanlaw at gmail.com
Sat Sep 27 06:34:37 UTC 2014
On 26 September 2014 22:57, Rashkae <ubuntu at tigershaunt.com> wrote:
> On 14-09-26 05:50 PM, Colin Law wrote:
>>
>>
>> It is a sheeva plug computer with an Arm processor. Jaunty was the
>> last ubuntu version that supported the chip.
>>
>> It seems however that my initial assumption is correct, that if they
>> cannot login as they do not have the key then they cannot exploit the
>> vulnerability.
>>
>> If someone manages to crack the key and login then the vulnerability
>> is the least of my worries I think.
>>
>> Colin
>>
>
> As far as ssh goes, that is correct, your attack surface there is pretty
> small, but you have to be careful about anything else, such as web cgi
> scripts, or even a default install of Apache, which can try to fork a
> process with bash. Also, dhcpclient is vulnerable, if the computer ever
> tries to get a dhcp address from a a bad dhcp server.
The only port forwarded through the router is 22 so I believe
cgi/apache should not be an issue provided the router is not hacked,
and since the router is the dhcp server then again I think that should
not be a problem. If my router gets hacked then again this specific
vulnerability is probably not my major concern. A separate question
is how one knows whether one's router may be vulnerable.
Colin
More information about the ubuntu-users
mailing list