| Fred Stluka on 26 Sep 2014 07:51:40 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security |
Good point! I'm also not running a DHCP server. --Fred ------------------------------------------------------------------------ Fred Stluka -- mailto:fred@bristle.com -- http://bristle.com/~fred/ Bristle Software, Inc -- http://bristle.com -- Glad to be of service! Open Source: Without walls and fences, we need no Windows or Gates. ------------------------------------------------------------------------ On 9/26/14 9:48 AM, Rich Freeman wrote:
On Fri, Sep 26, 2014 at 9:30 AM, Fred Stluka <fred@bristle.com> wrote:As I understand it, the risk is only if someone can cause an arbitrary environment variable to be set and then run a bash script. For example, someone already logged in to the server, or someone accessing it via a CGI script at its Web server.DHCP has also been brought up as an attack vector, as some scripts may pass unsanitized DHCP server output into an environment variable. That is mainly an issue for laptops visiting foreign networks, but it could be used to attack other hosts on the same subnet. For things other than webservers I think the threat is moderate, but in general it is a bad idea to leave vulnerable software around since it could be used in a way you didn't anticipate. For example, people said heartbleed wasn't an issue for routers that didn't use https, but then it came up that some could use openssl as part of their WPA2 authentication in a way that makes them vulnerable. Bottom line is that software vulnerabilities occur when software does things that are unexpected. Such behavior can cause problems at any time, so it is almost always worth trying to fix. Of course, priority is a different matter. My phone came with a vulnerable bash pre-installed, but I'm not in a rush to replace it as it isn't the default shell and I can't think of any likely exploit due to the nature of Android, and I'll just take the next OTA update whenever it gets sent out (probably within a few weeks). If something changes that assessment I can always build my own bash from source, or I could probably just delete it (I doubt anything needs to depend on it). -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug