Keith C. Perry on 26 Sep 2014 07:22:43 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security


This reinforces the idea that security is a multifaceted (or multilayer in the case of computing) experience.  There are vulnerabilities, there are exploits and then there are cascading failures.  Even if people aren't obsessive about security they probably have at least 3 security layers working for them (network, system and application level protections).

In my opinion this one is not as serious as the SSL bug and even that was somewhat overdone though it was understandable because SSL is client facing.

Bash in the modern world is not...  (most notable use is probably via SSH if that is the shell used.)

"That said, a system with Bash isn't always remotely exploitable. The key, as Graham noted, is when that resource "first sticks some Internet parameter in an environmental variable, and then executes a Bash script.""

Unless you're doing something highly specialized most programmers are not executing calls out to bash.

This is definitely skewed more towards situations where someone can gain or already has bash access.


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Owner, DAO Technologies LLC
(O) +1.215.525.4165 x2033
(M) +1.215.432.5167
www.daotechnologies.com


From: "Rich Freeman" <r-plug@thefreemanclan.net>
To: "fred" <fred@bristle.com>, "FredStluka" <FredStluka@gmail.com>, "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Friday, September 26, 2014 9:48:56 AM
Subject: Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security

On Fri, Sep 26, 2014 at 9:30 AM, Fred Stluka <fred@bristle.com> wrote:

 As I understand it, the risk is only if someone can cause an
 arbitrary environment variable to be set and then run a bash
 script.  For example, someone already logged in to the server,
 or someone accessing it via a CGI script at its Web server.


DHCP has also been brought up as an attack vector, as some scripts may
pass unsanitized DHCP server output into an environment variable.
That is mainly an issue for laptops visiting foreign networks, but it
could be used to attack other hosts on the same subnet.

For things other than webservers I think the threat is moderate, but
in general it is a bad idea to leave vulnerable software around since
it could be used in a way you didn't anticipate.  For example, people
said heartbleed wasn't an issue for routers that didn't use https, but
then it came up that some could use openssl as part of their WPA2
authentication in a way that makes them vulnerable.

Bottom line is that software vulnerabilities occur when software does
things that are unexpected.  Such behavior can cause problems at any
time, so it is almost always worth trying to fix.  Of course, priority
is a different matter.  My phone came with a vulnerable bash
pre-installed, but I'm not in a rush to replace it as it isn't the
default shell and I can't think of any likely exploit due to the
nature of Android, and I'll just take the next OTA update whenever it
gets sent out (probably within a few weeks).  If something changes
that assessment I can always build my own bash from source, or I could
probably just delete it (I doubt anything needs to depend on it).

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug