| Keith C. Perry on 26 Sep 2014 13:54:26 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security |
What Rich said pretty much nails it... "Bottom line is that I've patched everything I have but my phone. I don't run a server farm though." This really isn't that much of a big deal. DHCP, web and probably some other unmentioned attack vectors just get away from the actually issue. All my Lubuntu (servers) and Kubuntu (desktops) nodes are up to date but even on my much older systems all that was needed as a build of bash 4.3.25 (its a bit of a process because GNU didn't wrap a fresh tarball but its not bad to do see http://www.snip2code.com/Snippet/174077/Manually-update-Bash-to-fix-shellshock/). Statically compiled that and pushed out. Done :D ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Keith C. Perry, MS E.E. Owner, DAO Technologies LLC (O) +1.215.525.4165 x2033 (M) +1.215.432.5167 www.daotechnologies.com ----- Original Message ----- From: "Rich Freeman" <r-plug@thefreemanclan.net> To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org> Cc: "FredStluka" <FredStluka@gmail.com>, "fred" <fred@bristle.com> Sent: Friday, September 26, 2014 1:34:39 PM Subject: Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security On Fri, Sep 26, 2014 at 1:00 PM, Keith C. Perry <kperry@daotechnologies.com> wrote: > > What are you envisioning as the attack vector from the client point of view? Is the concern that > an infected DHCP server could craft a IP OFFER or ACK packet back to your client with an exploit? > Keep in mind that an "infected DHCP server" could be any other client on the network. A "DHCP server" is just a program that responds to DHCP DISCOVER/REQUEST packets. Anybody on the network (including wireless connections) could potentially send DHCP OFFER/ACK packets. I don't know the details well enough to know exactly which implementations are vulnerable, and under what conditions. I doubt Android is vulnerable. The only phone I'm aware of that ships bash as part of the stock experience is the Oneplus One, and I'd be shocked if it was used for DHCP (it isn't the default sh for starters). Linux desktops are the biggest risk here. Distros that migrated to dash are likely to be fairly safe unless they explicitly call bash in their scripts/etc. Some distros have their own ip-up scripts and such that could be problematic, and there are a lot of different DHCP client implementations. I think networkd is probably OK, but not all systemd distros use networkd I imagine (systemd is new, networkd is even newer). I'm curious as to whether ChromeOS is vulnerable. It uses secure boot so the most a process is going to be able to do is run something in RAM - any tampering with the OS drive will just render it unbootable on the next reboot. I wouldn't be surprised if ChromeOS does run something like dhclient though. Bottom line is that I've patched everything I have but my phone. I don't run a server farm though. -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug