'Shell Shock' vulnerability in Bourne shell

A severe vulnerability was discovered in Bourne shell.

Just google for: bash vulnerability
... for more details.

Not Bourne shell, in Bourne Again... bash
e.g. what Deian says about it:
https://security-tracker.debian.org/tracker/CVE-2014-6271

Only you are at risk in somehow limited situation I believe:
e.g. Using ssh with ForceCommand option or using SSH_ORIGINAL_COMMAND variable

Not the way I understand it.

Any environment variable can be used to trigger the vulnerability.

CGI arguments are passed as environment variables (CGI, not fast CGI):

Common Gateway Interface - Wikipedia, the free encyclopedia

vs

FastCGI - Wikipedia, the free encyclopedia

So any bash CGI scripts - or any bash scripts called by any CGI process - are vulnerable.

And SSH accounts are vulnerable if you allow the remote user to set ANY environment variables, such as LC_* for localization.

You can apply the incomplete patches today and wait for the complete patch when available.

If that's not doable, make sure you use something other than bash (e.g. ksh, dash, ash, etc) for the shell on anything exposed or indirectly exposed. The flaw is huge and very exploitable from a remote host especially for web based stuff. And there are very popular *panels* (hint) that have such exposures.

For all of you that think all scripts should be written in unportable bash... maybe that wasn't the greatest strategy eh?? Bourne shell for the win!

Sorry, I'm not familiar with bourne or bash, I'm a Korny :slight_smile:

Hi Guys,

Just an update here, I've been running around like an idiot for the past two and a bit days - having loads of attempts on web servers in particular. But have even had specific attacks on our firwall and other outward facing kit.

There have been attempts on our switches and routers, this is the most disaterous bug I can remember other than the version of Solaris 10 with "terry" the developers back door in the final release.

I have logs full of stuff like below - I've changed some of the stuff but you'll get the idea.

XXX.XXX.93.149 - - [25/Sep/2014:05:08:03 +0100] "GET /w00tw00t.at.blackhats.aaaaaa.aaaa-sec:) HTTP/1.1" 404 319 "-" "ZmEu"
XXX.XXX.93.149 - - [25/Sep/2014:05:08:03 +0100] "GET /something_here/scripts/setup.php HTTP/1.1" 404 306 "-" "ZmEu"
XXX.XX.69.74 - - [25/Sep/2014:18:53:51 +0100] "GET / HTTP/1.1" 200 2455 "() { :; }; /bin/ping -c 1 XXX.XXX.0.69" "() { :; }; /bin/ping -c 1 XXX.XXX.0.69"

Regards

Dave

2 Likes