A Serious Security Bug In *NIX Systems
Monkey Archive Forums/Digital Discussion/A Serious Security Bug In *NIX Systems
| ||
| For all of you out there in the unix land in their false belief that Microsoft have the monopoly on security flaws, a real nasty one has been found in bash. http://www.bbc.co.uk/news/technology-29361794 http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html There should already be a update for bash. |
| ||
| There should already be updates for the main distros - but they will need another one as they did not fix properly. (I got my bash-update yesterday, might be available a bit longer) bye Ron |
| ||
| The real problem is all the hardware with embedded Linux as their OS. Some of it is old and I very much doubt that a manufacture will supply firmware updates for hardware that's been discontinued. Remember the stories of companies that were reluctant to up date IE6 and XP. God know what they will be like if they have to upgrade their hardware. |
| ||
| Or all the old Mac-computers not capable of newer OS. People will more likely replace old devices if something bad happened to them - until then, they are kept getting used every day until they break. Most consumer devices wont be affected - not directly attached to the internet (or later: not capable of IPv6 which gets rid of NAT). Industry-IP-cameras etc are bought by companies - and they should take care of security on their own. Home consumer devices do not come often with linux-embedded. Most often "home devices" directed to the internet are webcams to have a look what happens at home while not away ("baby cam"). But we will see how many exploitations will happen. Heartbleet was dangerous but it seems we had luck that time. More dangerous will be unpatches bugs in XP. bye Ron |
| ||
| Just upgraded my server an hour or two ago! Ubuntu didn't have an update yesterday, but an apt-get update/upgrade this evening and it's sorted... |
| ||
| Well I haven't fired up the iMac in a while, installed the updates for OS X and Xcode and Apple have yet to release a patch. So I had to recompile bash. Just be careful on where you get the patches. http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an EDIT: It was bound to happen as soon as this bug was made public. http://www.bbc.co.uk/news/technology-29375636 |
| ||
| @embedded linux: many of them use "busybox", only know Cyanogen which used to use bash. bye Ron |
| ||
| https://www.cloudflare.com/ pro users were automatically protected as soon as they added firewall rules at their level. I'm not affiliated with them but really nice service. There have been a ton of attempts to exploit this. If you are running a linux sever you might want to turn on automatic updates for security updates if it's not already. |
| ||
| Bash needs further updates! http://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shellshock-becomes-whack-a-mole/ I just did apt-get update/upgrade on my Ubuntu server and there was indeed another update. I'd recommend checking again a few times over the next week or so, as it sounds like more work may be needed... |
| ||
| I read that some Ubiquiti Routers do use bash. So if you have doubts then check out your hardwares support forum. http://community.ubnt.com/t5/EdgeMAX/About-bash-quot-Shellshock-quot-vulnerability-CVE-2014-6271-and/m-p/1027857 Virgin Media Super Hubs under the hood are rebranded Netgear kit, which if I remember use busybox the last time I checked. They have released a statement that they have tested them and are not susceptible to shellshock. BT's response is At this time we do not believe that BT Home Hubs, BT Vision and YouView boxes are vulnerable. We are however conducting a thorough review of our estate, and continue to monitor the situation.. |
| ||
| It would be good if there's a resource listing what is isn't vulnerable to this.. anyone know of one? |
| ||
| A bit of interesting reading. https://news.ycombinator.com/item?id=8369443 https://community.rapid7.com/community/infosec/blog/2014/09/25/bash-ing-into-your-network-investigating-cve-2014-6271 It would be good if there's a resource listing what is isn't vulnerable to this.. anyone know of one? The answer to this is simple, know one knows at this time. There are just too many things out there that use Linux. The most obvious will be *NIX servers and desktops, there will be a few routers and Network Attached Storage devices as well. The only sure way is gaining access to the device and testing it yourself and sending in a bug report.Changing the shell will not help either if any script uses the #!shebang to invoke bash. EDIT: Here's something funny The first post was duplicated over at the BlitzBasic forum. And so far not one comment about this. They seem to me to be more interested in bendy iPhones than if their networks and systems are secure. EDIT: something not related, but there have been a few spammers on these here forums lately if you haven't noticed. |
| ||
| I thought I would answer to your topic at blitzmax.com but then decided I could also post here - as I already was lurking around reading new topics. So no offense versus the blitzmax community :p. bye Ron |
   |