IMPORTANT - sysadmins, linux and OSX users

O

onomatopoeia

Suspended / Banned
Messages
4,430
Name
Mark
Edit My Images
Yes
If you have anything accessible from the internet or to untrusted users, you really, really need to put "shellshock" into your search engine of choice and then install a patched version of bash. Now.
 
and even the patch has vulnerabilities (after I spent most of the day patching). Same again tomorrow, methinks. lalalalala
:runaway::runaway::runaway:
 
No patch for OSX mavericks available yet.

Is there a reason the bash script can't be renamed to something else unique so that you'd use that instead of calling it bash and it wouldn't exist in the normal location? This way any miscreant would fall over at the first step as bash wouldn't be where they were looking or called what they were looking for?
 
Depends, if things on the system expect it to be in one place they will break if it is moved. I've been going through our servers and it's the default shell for users with shell access on most of them, which means it has to be at /bin/bash or no-one will be able to get a terminal.
 
Patched all of mine now, one was a heart in the mouth job as I couldn't use the distro package manager so had to get source, patch it, build it and then replace the vulnerable shell with the new one. When your only access is via ssh as the server is in a datacentre somewhere, replacing the shell is exciting. In a bad way.:runaway:

I'm not even an IT person. /reaches for the vodka
 
onomatopoeia said:
Depends, if things on the system expect it to be in one place they will break if it is moved. I've been going through our servers and it's the default shell for users with shell access on most of them, which means it has to be at /bin/bash or no-one will be able to get a terminal.
Click to expand...

Then they won't be able to break anything. Perfect :D
 
posiview said:
So, can someone explain what folk need to so...in simple terms :)

I've read the article here but left feeling dizzy.

Cheers.
Click to expand...
Make sure nothing is exposed on the internet (i.e. all ports are closed). That way, no one can inject anything ;)
 
Having a vulnerability and someone exploiting it are two different things...... As far as I can tell, you need to be running a web server for someone to exploit this and it is the server that gets exploited. I don't think there is a way for a server to run arbitrary bash commands on a users computer - web browsers don't generally allow that.... What the exploit will do is make it easier for hackers to get username/password combinations or to install arbitrary malicious code on the server which could infect your computer, just like any other malicious software can.

I'm assuming you're on a Mac - do you run anti-virus/anti-malware software? Or are you of the belief that Mac's are protected because they run Linux?
 
afasoas said:
As you probably already know, the first patch only partially fixed it.
A second CVE was raised to fix the vulnerability properly.

That second CVE patch is now available:
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7169.html

Time to update again today!
Click to expand...
That's ubuntu, debian has a similar fix and the other major distros have or are doing the same.

Chet Ramey hasn't put patch level 26 for bash 4.3 (or similar patches for any of the previous versions) onto the repositry at savannah.git yet, as I'm looking at it now. I suspect they will be coming today.

For anyone building from source, which I have to on one server, and who doesn't want to wait, details of the source code changes for all versions are here http://www.openwall.com/lists/oss-security/2014/09/26/1

Guess what I'm doing this morning:rolleyes::runaway:
 
As a noob to Linux and no experience of it whatsoever a lot of this shellshock and patches is away over my head, I just installed Linux Mint 17 2 days ago on a standalone laptop. It is just used mainly for browsing the net and email at home, my router is virgin superhub.
Do I need to worry about this bug ?
 
frank said:
As a noob to Linux and no experience of it whatsoever a lot of this shellshock and patches is away over my head, I just installed Linux Mint 17 2 days ago on a standalone laptop. It is just used mainly for browsing the net and email at home, my router is virgin superhub.
Do I need to worry about this bug ?
Click to expand...
No idea about Virgin Superhub, but your computer is fine (and bash will be patched when you next do an update).
 
You must log in or register to reply here.
Back
Top