Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security

Fred Stluka on 26 Sep 2014 06:31:07 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security

From: Fred Stluka <fred@bristle.com>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
Date: Fri, 26 Sep 2014 09:30:55 -0400
Organization: Bristle Software, Inc.
Reply-to: fred@bristle.com, FredStluka@gmail.com, Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:31.0) Gecko/20100101 Thunderbird/31.1.2

Anyone have a good idea of how serious a concern this is, from
a practical point of view?

I've read lots of the recent articles about what the exploit could
theoretically do, but not so much about the likelihood that a
server using newer technologies is actually vulnerable.

As I understand it, the risk is only if someone can cause an
arbitrary environment variable to be set and then run a bash
script.  For example, someone already logged in to the server,
or someone accessing it via a CGI script at its Web server.

I may be safe because:
- There are only 3 users with logins and they are trusted
- There is no remote (ssh) root login, only the 3 users.
- There are no CGI scripts run by the Apache Web server
- There is no telnet access
- There is no FTP access
- There is no SMTP access
- There is Apache WSGI access to a Python/Django app
- Apache runs as user "apache", not "root"

Do I really need to worry about this, and scramble to patch
it like I did for Heartbleed?  Or just continue to apply future
security patches as usual, as they come along?

Thanks!
--Fred
------------------------------------------------------------------------
Fred Stluka -- mailto:fred@bristle.com -- http://bristle.com/~fred/
Bristle Software, Inc -- http://bristle.com -- Glad to be of service!
Open Source: Without walls and fences, we need no Windows or Gates.
------------------------------------------------------------------------
On 9/26/14 8:08 AM, Chris Grabowy wrote:

Not sure if everyone is aware of this…
As if consumers weren’t already suffering from breach fatigue: Expertswarn that attackers are exploiting a critical, newly-disclosedsecurity vulnerability present countless networks and Web sites thatrely on Unix and Linux operating systems. Experts say the flaw, dubbed"Shellshock," is so intertwined with the modern Internet that it couldprove challenging to fix, and in the short run is likely to putmillions of networks and countless consumer records at risk ofcompromise.
http://krebsonsecurity.com/2014/09/shellshock-bug-spells-trouble-for-web-security/



___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
  - From: Rich Freeman <r-plug@thefreemanclan.net>

References:
- [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
  - From: Chris Grabowy <cgrabowy@gmail.com>

Prev by Date: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
Next by Date: Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
Previous by thread: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
Next by thread: Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
Index(es):
- Date
- Thread