Rich Freeman on 26 Sep 2014 06:49:04 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security

On Fri, Sep 26, 2014 at 9:30 AM, Fred Stluka <> wrote:
> As I understand it, the risk is only if someone can cause an
> arbitrary environment variable to be set and then run a bash
> script.  For example, someone already logged in to the server,
> or someone accessing it via a CGI script at its Web server.

DHCP has also been brought up as an attack vector, as some scripts may
pass unsanitized DHCP server output into an environment variable.
That is mainly an issue for laptops visiting foreign networks, but it
could be used to attack other hosts on the same subnet.

For things other than webservers I think the threat is moderate, but
in general it is a bad idea to leave vulnerable software around since
it could be used in a way you didn't anticipate.  For example, people
said heartbleed wasn't an issue for routers that didn't use https, but
then it came up that some could use openssl as part of their WPA2
authentication in a way that makes them vulnerable.

Bottom line is that software vulnerabilities occur when software does
things that are unexpected.  Such behavior can cause problems at any
time, so it is almost always worth trying to fix.  Of course, priority
is a different matter.  My phone came with a vulnerable bash
pre-installed, but I'm not in a rush to replace it as it isn't the
default shell and I can't think of any likely exploit due to the
nature of Android, and I'll just take the next OTA update whenever it
gets sent out (probably within a few weeks).  If something changes
that assessment I can always build my own bash from source, or I could
probably just delete it (I doubt anything needs to depend on it).

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --