Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | (show all)   Print Thread
Standard User camieabz
(sensei) Thu 25-Sep-14 12:59:19
Print Post

Patch yer bash


[link to this post]
 
http://threatpost.com/major-bash-vulnerability-affec...

http://www.bbc.co.uk/news/technology-29361794
Standard User BatBoy
(legend) Thu 25-Sep-14 13:09:30
Print Post

Re: Patch yer bash


[re: camieabz] [link to this post]
 
A security flaw affecting millions of Mac computers, web servers and internet connected devices has emerged, which experts warn could be among the most devastating ever seen.

The US government have rated the security flaw 10/10 for severity, and given it a complexity rating of 'low' - meaning it's very easy to exploit.

The bug affects Bash, a programme that runs on Apple Mac and Linux computers - and can run in the background without a users knowledge.
There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

vulnerable
this is a test

An unaffected (or patched) system will output:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

The fix is an update to a patched version of the Bash shell.



______________________________________________________________________________________False_Authority_Syndrome__________________
Standard User Lethe
(fountain of knowledge) Thu 25-Sep-14 18:18:09
Print Post

Re: Patch yer bash


[re: BatBoy] [link to this post]
 
This isn't so much of an issue for GNU/Linux users (I just patched all my boxes), but for all the uninitiated people that have 'blackbox' devices like routers, smart TV's etc exposed to the Internet.

I will expect it will be months, if at all, that the firmware will be upgraded.

Nick


Register (or login) on our website and you will not see this ad.

Standard User BatBoy
(legend) Thu 25-Sep-14 18:38:43
Print Post

Re: Patch yer bash


[re: Lethe] [link to this post]
 
Oh dear
Linux makers released patches to protect against attacks on Wednesday, though security researchers uncovered flaws in those updates, prompting No. 1 Linux maker Red Hat Inc to advise customers that the patch was "incomplete."



______________________________________________________________________________________False_Authority_Syndrome__________________
Standard User Lethe
(fountain of knowledge) Thu 25-Sep-14 18:53:19
Print Post

Re: Patch yer bash


[re: BatBoy] [link to this post]
 
I have been reading up on that - basically what it means is although the check doing the rounds appear to prove the fix works, there is too much else going on in a typical system using the BASH shell... so nobody is sure what else could be done on the back of this.

A lot of it is found in strange setups, lazy programming etc., but nobody really knows as of yet.

I sanitised my web server tonight, and SSH is only dodgy if it is open to the web with users logging in that get a shell. dnsmasq was updated yesterday also.

Basically, lock all doors and windows - but for a big concern like a lot of git repos, what a headache!

Nick
Standard User bobble_bob
(fountain of knowledge) Thu 25-Sep-14 19:06:39
Print Post

Re: Patch yer bash


[re: Lethe] [link to this post]
 
What's the worst that can happen with a smart tv tho. The hacker makes you watch X factor?
Standard User Lethe
(fountain of knowledge) Thu 25-Sep-14 19:13:32
Print Post

Re: Patch yer bash


[re: bobble_bob] [link to this post]
 
Crikey... what a terrible thing to happen!

Seriously though, a lot of these 'blackbox' devices have httpd servers running on strange ports... and remember the exploit to this BASH problem is that although the device may refuse a connection, it has already called BASH $env so the dodgy command is next in queue - and will be executed next.

As I stated down below in this thread, nobody really knows the worms of this yet.

Nick
Standard User bobble_bob
(fountain of knowledge) Thu 25-Sep-14 19:15:24
Print Post

Re: Patch yer bash


[re: Lethe] [link to this post]
 
Considering this is suppose to be a simple exploit wonder why it wasn't discovered earlier

Also, do all routers run unix?

Edited by bobble_bob (Thu 25-Sep-14 19:18:16)

Standard User Lethe
(fountain of knowledge) Thu 25-Sep-14 19:32:28
Print Post

Re: Patch yer bash


[re: bobble_bob] [link to this post]
 
In reply to a post by bobble_bob:
Considering this is suppose to be a simple exploit wonder why it wasn't discovered earlier

Simple doesn't mean easy to find. Stainless steel was discovered by a company in Sheffield trying to make a knife that didn't lose it's edge - after each attempt the bad knifes were throw out in a yard and left in piles. Sometime later a worker there noticed that a few hadn't rusted. They checked the batch codes etc, and stainless steel was 'invented'. Post-it notes also was 'found' from a glue company that had a bad product that didn't stick very well but found it could be 're-used' time and again.


In reply to a post by bobble_bob:
Also, do all routers run unix?


GNU/Linux runs 90% of consumer products now. BusyBox which is a cut down embedded linux system of sorts doesn't have this issue, but again, as they are mostly all 'blackboxes' nobody knows - hence the concern.

Nick
Standard User Taras
(eat-sleep-adslguide) Fri 26-Sep-14 00:05:39
Print Post

Re: Patch yer bash


[re: bobble_bob] [link to this post]
 
In reply to a post by bobble_bob:
What's the worst that can happen with a smart tv tho. The hacker makes you watch X factor?


I'm sure Simon would be happy ..
But...
it could be used as part of a botnet, imagine say 50 to 100 million devices targeting a system ..
Pages in this thread: 1 | 2 | (show all)   Print Thread

Jump to