Bash Bug.

Are you having technical problem, computer playing up, post your problems here and we will help solve them
User avatar
DanMc
Seraphim
Posts: 17531
Joined: Tue Jan 29, 2008 1:52 pm
Location: UK

Bash Bug.

Postby DanMc » Thu Sep 25, 2014 8:34 pm

A potentially serious security vulnerability has been discovered in some Unix, Linux as well as Apple OSX operating systems which use the Bash shell. It most probably wont affect systems such as Debian, Ubuntu and Mint, which use the Dash shell but who knows for certain? If it's possible to compromise the Bash shell presumably other shells are potentially vulnerable to attack too.
For The Many Not The Few.

User avatar
Tina TV
Master Wizard
Posts: 1816
Joined: Mon Jan 10, 2005 4:00 pm
Location: Hampshire, UK

Re: Bash Bug.

Postby Tina TV » Fri Sep 26, 2014 6:36 am

Yeah and as usual the press have got te wrong end of the stick and are going over the top with it.

The Web attack vector is only gonna hit ancient poorly maintained servers. Modern servers don't use CGI let alone bash based CGI. They run in unprivaledged sandboxes so any attack won't affect the remainder of the system etc.

SSH attack is similary narrow, how many people have even heard of the forced command option ?

The most interesting is the rogue DHCP server vector, but any sysadmin worth his salt should see that as soon as it starts.

That said other attacks will be found so just as with any security issue, keep your systems patched and up to date.

The big worry is all the appliance style devices that don't get patched, so keep them behind secure firewalls with the minimum of internet access. Fortunately most appliances don't run bash. After a couple of hours thought my colleages and I could only think of one.

User avatar
PlasticAnnArbor
Evangelist
Posts: 469
Joined: Wed Jul 02, 2008 7:23 am

Re: Bash Bug.

Postby PlasticAnnArbor » Tue Nov 11, 2014 8:23 am

serous -- YES
overblown -- WAY YES

The Web attack vector is only gonna hit ancient poorly maintained servers. Modern servers don't use CGI let alone bash based CGI. They run in unprivaledged sandboxes so any attack won't affect the remainder of the system etc.

:mrgreen: :mrgreen: :mrgreen: :mrgreen: :mrgreen: :mrgreen: :mrgreen:
seeing as there are MANY RH7 RH8,RH9 servers
not to mention the RHEL2 RHEL3 and RHEL4 servers that are ALL out of the 7 year support life cycle from redhat
( RHEL4 went End of Life -- well 4.9 is still in EXTRA critical life support)
and they ARE STILL ON LINE in production environments !!!!!
man i hated "up2date" and rpm

"yum" was a godsend

but
TELNET!!!!! is still in use !!!!!!!!!
and so is ssl 1
or the WORST i saw

auto root login on a remote server ( no ssh keys needed)
Linux
http://www.tldp.org/


Return to “Computer Problem Solver”

Who is online

Users browsing this forum: No registered users and 2 guests