[Security] Update bash *NOW*

[Darryl Moore]

I've checked our servers. From what I've seen, for the exploit to work
with apache, you need to have CGI enabled, have a bash script in the
cgi-bin directory, and do a crafted http request for that script. If the
executable file requested does not exist, or if it is not a bash script,
the exploit will not work.

I did find attempts to hack our machines today, but due to the above
constraints, they appear to have failed.

None the less, we are updating bash on everything as we speak.

Regards,
Darryl

On 14-09-25 08:15 PM, Scott Elcomb wrote:
> On Wed, Sep 24, 2014 at 10:03 PM, Walter Dnes <waltdnes-SLHPyeZ9y/tg9hUCZPvPmw at public.gmane.org> wrote:
>>   Slashdot article http://linux.slashdot.org/story/14/09/24/1638207/remote-exploit-vulnerability-found-in-bash
>>
>>   Story at http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html
>>
>>   CVE ID CVE-2014-6271 at http://seclists.org/oss-sec/2014/q3/650
>>
>>   Summary... bash scripts, CGI, perl via "system()", and various other
>> "commands" invoke a bash shell at times, passing environmental variables
>> in the process.  Problem is that an "environmental variable" ***CAN
>> CONTAIN A FUNCTION DEFINITION, AND EXECUTE IT WHILST SPAWNING A NEW
>> SHELL***.  E.g. execute the command...
> 
> Some scary bits I've seen today:
> 
> Looks like DHCP servers can leverage it:
> <https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/>
> 
> Web server log entry with a shellshock signature and wanting to run rm
> -rf / <https://twitter.com/danielcid/status/515244941380177920>
> 
> And via <http://beta.slashdot.org/story/207709> there's now a 'wopbot'
> on the loose: <http://www.itnews.com.au/News/396197,first-shellshock-botnet-attacks-akamai-us-dod-networks.aspx>
> 
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists