"Shellshock" bash bug
Gene Heskett
gheskett at wdtv.com
Sat Sep 27 12:15:08 UTC 2014
On Saturday 27 September 2014 02:43:19 Colin Law did opine
And Gene did reply:
> On 27 September 2014 01:31, Gene Heskett <gheskett at wdtv.com> wrote:
> > On Friday 26 September 2014 17:17:06 Colin Law did opine
> >
> > And Gene did reply:
> >> On 26 September 2014 16:43, Kevin O'Gorman <kogorman at gmail.com>
wrote:
> >> > There has been a code-injection vulnerability in bash for the last
> >> > 22 years, recently discovered and named "Shellshock". It's
> >> > nasty.
> >> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
> >>
> >> I don't fully understand the description. I have a system that
> >> cannot be updated that has an ssh port open to the internet, with
> >> access by keys only. Is that system vulnerable to attack?
> >>
> >> Colin
> >
> > Top posting, bah! Read the rest of the message below, open a terminal
>
> Who is top posting? I had read the rest of the post. My question
> related to the the quoted section.
>
> >> > Here's a quick one-liner to see if you're vulnerable:
> >> > $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> >> > vulnerable
> >
> > And enter into the terminal from the keyboard, the above line
> > starting with "env", to the end at 'test"', duplicating the
> > quotation marks etc you see above.
> >
> > Then hit enter and you should get the vulnerable return if you are,
> > or the bash error shown below, ending in the last line 'this is a
> > test'. That response says you are not vulnerable.
>
> No, the message tells me that I have a vulnerable version of bash
> installed, not whether my system is vulnerable to attack as I asked.
> The point is that with a machine that is only open to the internet via
> ssh with access by keys only, is the system vulnerable? So far that
> answer seems to be no, provided one's router is not hacked.
>
> Colin
I have no knowledge of what is in the average router, only what is in mine
which has been reflashed to dd-wrt. There is not a full blown bash in
that, underneath its Busybox. Busybox linux doesn't have a byte of code
in it that is not used, and that which is used is often stripped of
features not needed in a router specialized use, so my assumption, which
is exactly that, a SWAG if you want to use the term, is that its enough
different that the answer almost certainly has to be no.
No one has yet reported that their router has been powned that I know of
except me. The first one I ever bought, a Seimans from circuit city about
14 or 15 years ago, was attacked and bricked less than 24 hours after I
installed it. I took it back and brought home a BEFSR41 which worked for
many yers and could yet, all I would have to do is move the cables, but my
web page would disappear because its NATed port forward capabilities
aren't there. It is not dd-wrt.
That is not to say that that a router cannot be hacked, but likely not by
shellshock style attacks.
That said, update-manager just popped up, and there is a 3rd bash update
in the pipeline. Do the update now, and reboot. Only by rebooting can
you be assured that every bash instance in your system is using the new
one. I am doing it as soon as I've clicked on send.
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS
More information about the ubuntu-users
mailing list