[kwlug-disc] Vulnerability in bash

Khalid Baheyeldin kb at 2bits.com
Thu Sep 25 16:17:57 EDT 2014


Just heard some coverage over the radio (CBC), and they said something
along the lines of:

 " ... it affects everything from doctors' equipment to building lighting".

Geez, since when do doctors' equipment run Linux with a full bash shell (as
opposed to a BusyBox shell like Android and routers)?


On Thu, Sep 25, 2014 at 10:36 AM, CrankyOldBugger <crankyoldbugger at gmail.com
> wrote:

> The CBC agrees with you:
> http://www.cbc.ca/news/technology/new-bash-computer-bug-may-be-worse-than-heartbleed-1.2777514?cmp=rss
>
> And we know how reporters never exaggerate when it comes to technology!
>
>
> On 25 September 2014 09:43, Fernando Duran <liberosec at yahoo.ca> wrote:
>
>> Oh dear, this is going to be worse than Heartbleed.
>>
>> I saw this yesterday and I'm terrified, for ex see this guy very easily
>> making a remote server execute arbitrary commands (in this case just a
>> ping):
>> http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html
>>
>> More analysis today:
>> http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
>>
>> sigh
>>
>> ---------------------
>> Fernando Duran
>> http://www.fduran.com
>>
>>
>> On Thursday, September 25, 2014 9:36 AM, Khalid Baheyeldin <kb at 2bits.com>
>> wrote:
>>
>>
>> >
>> >
>> >The test for the vulnerability is typing this in a bash shell:
>> >
>> >env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>> >
>> >
>> >If you get just "this is a test" with some warnings, then you are not
>> vulnerable.
>> >If you get "vulnerable" as part of the output, then you are.
>> >
>> >Like many who run a Debian based distro, I use apticron to get email
>> notifications of updates to the exact packages that I have installed. I got
>> notified yesterday noon-ish of the update and got it installed.
>> >
>> >I did not need to reboot nor start the shells I have open in screen. The
>> output of the test above says I am not vulnerable, but I did not do a
>> before and after on the same machine (although a pristine virtual image
>> does show it is vulnerable).
>> >
>> >
>> >So, don't think a shell restart is necessary based on the tests above.
>> How is this done? I don't know. There are no shared libraries included in
>> the package (dpkg -L bash).
>> >
>> >
>> >
>> >On Thu, Sep 25, 2014 at 1:05 AM, B.S. <bs27975 at yahoo.ca> wrote:
>> >
>> >On Wed, 24 Sep 2014 23:21:57 -0400
>> >>"L.D. Paniak" <ldpaniak at fourpisolutions.com> wrote:
>> >>
>> >>> The list should be aware of a newly-announced and particularly nasty
>> >>> parsing bug with all versions of bash:
>> >>>
>> >>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
>> >>>
>> >>> The combination of "network exploitable" and "authentication not
>> >>> required"  make this a "10" on the severity scale.
>> >>>
>> >>> Updated packages for current versions of Ubuntu look to have been
>> >>> pushed out earlier today:
>> >>> https://launchpad.net/ubuntu/+source/bash
>> >>
>> >>Presumably, at the least, a post-update logout/login will be necessary
>> >>on each machine, if not an entire reboot. (Care to trust that ALL
>> >>scripts run between turn on and user prompt use sh not bash? And that
>> >>sh hasn't been inadvertently equivalenced to bash?)
>> >>
>> >>Given that most of us probably have a command line up (outside of any
>> >>GUI too!), and thus in memory. Updating will catch any new instances,
>> >>but not those you're already in the middle of.
>> >>
>> >>I suppose this means rebooting all servers, too. <sigh?>
>> >>
>> >>I wonder if we should expect to see some further script updates to
>> >>follow. i.e. 'Inadvertent' taking advantage of 'hole' for non-nefarious
>> >>purposes now needing tweaking due to the update. (e.g. Things becoming
>> >>broken, albeit things originally written with the best of intentions.)
>> >>
>> >>
>> >>
>> >>_______________________________________________
>> >>kwlug-disc mailing list
>> >>kwlug-disc at kwlug.org
>> >>http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>> >>
>> >
>> >
>> >--
>> >Khalid M. Baheyeldin
>> >2bits.com, Inc.
>> >Fast Reliable Drupal
>> >Drupal optimization, development, customization and consulting.
>> >Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
>> >Simplicity is the ultimate sophistication. --   Leonardo da Vinci
>> >For every complex problem, there is an answer that is clear, simple, and
>> wrong." -- H.L. Mencken
>> >
>> >
>> >_______________________________________________
>> >kwlug-disc mailing list
>> >kwlug-disc at kwlug.org
>> >http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>> >
>> >
>> >
>>
>>
>> _______________________________________________
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>


-- 
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
For every complex problem, there is an answer that is clear, simple, and
wrong." -- H.L. Mencken
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140925/74f32563/attachment.htm>


More information about the kwlug-disc mailing list