You're viewing old version number 1. - Current version

Linux Bash security flaw - September 2014

Sep 24, 2014 threads:

  • http://www.metafilter.com/143038/Running-a-server-Drop-everything-and-update-it-now
  • https://news.ycombinator.com/item?id=8361574
  • https://news.ycombinator.com/item?id=8364746
  • https://news.ycombinator.com/item?id=8365158
  • https://news.ycombinator.com/item?id=8365110

Stories:

  • http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html
  • http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html
  • http://www.zdnet.com/unixlinux-bash-critical-security-hole-uncovered-7000034021/
  • http://www.zdnet.com/first-attacks-using-shellshock-bash-bug-discovered-7000034044/

To test if machine is vulnerable, execute at the command prompt:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

On my Digital Ocean-hosted Ubuntu server, the system returned:

vulnerable
this is a test

I updated Bash by executing:

sudo apt-get update && sudo apt-get install --only-upgrade bash

Then after executing env x='() { :;}; echo vulnerable' bash -c "echo this is a test" again, the system returned:

bash: warning: badvar: ignoring function definition attempt 
bash: error importing function definition for `badvar'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

But as of Sep 24, 2014, the update is only a partial fix.

I tested the servers that host my other sites, and those servers did not show the vulnerability. I would not be able to update those servers, since my accounts exist on shared servers.

#linux - #security

From JR's : articles
167 words - 1551 chars
created on - #
source - versions

Related articles
Linux Bash security flaw - September 2014 - Sep 25, 2014



A     A     A     A     A

© 2013-2017 JotHut - Online notebook

current date: Jan 12, 2025 - 6:40 p.m. EST