Massive Bash Exploit

[Rage9]

https://news.ycombinator.com/item?id=8361574

TLDR; There is a problem with the way the bash shell handles env variables and could lead to someone running exploit code on your system. If you have Linux servers you should drop whatever you are doing and patch immediately.

As many web masters here you probably want to make sure your servers are updated. Sounds pretty bad, some people saying it could be as bad as Heartbleed. If you have a linux server get yo shit updated ASAP!

 

[rish3]

FYI, this is remotely exploitable via a few different vectors, including ssh and apache.

 

[conjamuk]

If you are responsible for the security of any system, this is your immediate, drop-everything priority. The technical details of the exploit mean that new ways of exploiting it will be discovered soon. Precedent suggests that automated systematic attacks against every server on the Internet will be coming, on a time scale of hours

. holy fucking shit.

 

[Jameel]

updated

 

[SethH]

Thanks for the alert OP. While there's clearly some fearmongering in that ycombinator thread, my sysadmin had a close look and agrees this is a pretty nasty one that could indeed be as bad as heartbleed. Nice to have it all patched up early before the script kiddies start firing off exploits en masse.

 

[Kiopa_Matt]

Updating : bash-4.1.2-15.el6_5.1.x86_64

Da Russians are coming! heh

 

[HurrDurr]

As someone who shit his pants when I read this stuff. :thumbsup: Thumbs up for Wiredtree.

Yes, we are familiar with this. As soon as this attack hit CentOS mirrors, we rolled out a patch that now applies to the entire WiredTree network, and so we are safe from this attack.

 

[webtrend]

Run following from the command prompt as root

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you are vulnerable, you will see "vulnerable" being echoed on the screen.

I have an old version of ubuntu running on my server. Does anyone know if those repositories will get updated? Right now I don't see an update available

 

[mattseh]

Doesn't the ssh vector rely on the attacker having valid credentials? And who the fuck builds a webapp that uses environment variables which are passed to bash? What's the use case?

 

[chigga102]

Okay i'm sufficiently Scared... who do i give my money to?

 

[Fatbat]

Managed hosting FTW!

 

[AdamC]

https://security-tracker.debian.org/tracker/CVE-2014-6271

I'm using squeeze on some servers, if you are you might not get the update without using lts:

https://wiki.debian.org/LTS/Using

 

[AdamC]

Managed hosting FTW!

FTL if whoever manages your server isn't on the ball though! :girl:

 

[rish3]

Doesn't the ssh vector rely on the attacker having valid credentials?

It seems that way, but there are cases like git, puppet, etc, that rely on ssh and it's ForceCommand parameter. This bug may let you escalate a "git only" account into running arbitrary commands.

 

[JoseArmando]

Interesting, one of my servers on a managed plan was already patched but the other one wasn't. Now I know where I need to put a bit more attention to security

 

[harrymouni]

Doesn't the ssh vector rely on the attacker having valid credentials? And who the fuck builds a webapp that uses environment variables which are passed to bash? What's the use case?

this, i can't think of any attack vectors on my servers. it's not the 90s, i don't run any CGI scripts. gonna patch anyway obviously

 

[Amoxicillin]

Doesn't the ssh vector rely on the attacker having valid credentials? And who the fuck builds a webapp that uses environment variables which are passed to bash? What's the use case?

There are some obscure cases where people use CGI wrappers around PHP/Perl/Python, etc... These could potentially be exploited by headers.

Most systems should be fine though.

 

[Tedel]

Just updated. Thanks for the warning.

 

[CCarter]

Sauce: https://twitter.com/enigma0x3/status/514967993328365569

​

 

[jryan21]

Errata Security: Bash 'shellshock' scan of the Internet