[Security] Update bash *NOW*

Steve Harvey sgh-Ja3L+HSX0kI at public.gmane.org
Fri Sep 26 15:04:58 UTC 2014


On Fri, Sep 26, 2014 at 10:49:08AM -0400, Darryl Moore wrote:
> I've checked our servers. From what I've seen, for the exploit to work
> with apache, you need to have CGI enabled, have a bash script in the
> cgi-bin directory, and do a crafted http request for that script. If the

  The executable, whether a script or binary file, does not need to be bash. 
It only needs to cause a bash script to be invoked from *somewhere*, as
long as that bash script inherits the environment set up by CGI.

  From what I've read, some DHCP clients may be vulnerable.  Unfortunately,
those clients tend to be run as root.

  This is a really scary bug, considering how easy it is to exploit.

> executable file requested does not exist, or if it is not a bash script,
> the exploit will not work.
> 
> I did find attempts to hack our machines today, but due to the above
> constraints, they appear to have failed.
> 
> None the less, we are updating bash on everything as we speak.
> 
> Regards,
> Darryl
> 
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list