Jezbollah
Member
To all Sysadmins out there, please make note of this vulnerability (CVE-2014-6271)
For more information:
https://blog.cloudsecurityalliance.org/2014/09/24/worse-than-heartbleed/
https://securityblog.redhat.com/201...-environment-variables-code-injection-attack/
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
http://www.bbc.com/news/technology-29361794
Hope this is useful to anyone out there.
UPDATE: - Thanks to those who posted the links below:
A large number of programs on Linux and other UNIX systems use Bash to setup environmental variables which are then used while executing other programs. Examples of this include Web servers running CGI scripts and even email clients and web clients that pass files to external programs for display such as a video file or a sound file.
In short this vulnerability allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird mime types for example.
To test if your system is vulnerable just try this on bash:
env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
If you’re vulnerable it’ll print:
vulnerable
this is a test
If you’ve updated Bash you’ll only see
this is a test
For more information:
https://blog.cloudsecurityalliance.org/2014/09/24/worse-than-heartbleed/
https://securityblog.redhat.com/201...-environment-variables-code-injection-attack/
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
http://www.bbc.com/news/technology-29361794
Hope this is useful to anyone out there.
UPDATE: - Thanks to those who posted the links below:
You need to fix up the double quotes, somewhere 'smart quotes' mangled them.
Code:env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Found a fix for Ubuntu 10.10
http://techblog.willshouse.com/2014...bash-on-ubuntu-10-10-maverick-fix-shellshock/
Just make sure you log in as root
Here's another if you're 8.04
http://techblog.willshouse.com/2014...bash-on-ubuntu-10-10-maverick-fix-shellshock/
I'm all good!
Apple have released a patch for OS X
http://support.apple.com/kb/DL1769?viewlocale=en_US&locale=en_US
Also available for Mountain Lion:
http://support.apple.com/kb/DL1768
And Lion:
http://support.apple.com/kb/DL1767