Main Area and Open Discussion > General Software Discussion

Linux bash exploit discovered

(1/7) > >>

mouser:
"Akamai has validated the existence of the vulnerability in bash, and confirmed its presence in bash for an extended period of time. We have also verified that this vulnerability is exposed in ssh---but only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on a number of factors; including calling other applications through a shell, or evaluating sections of code through a shell.

There are several functional mitigations for this vulnerability: upgrading to a new version of bash, replacing bash with an alternate shell, limiting access to vulnerable services, or filtering inputs to vulnerable services. Akamai has created a WAF rule to filter this exploit; see "For Web Applications" below for details."

http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html

Gothi[c]:
The RH article has a nice summary of possible attack vectors: https://access.redhat.com/articles/1200223

Jibz:
That's awful. Looks a bit like a bash version of http://xkcd.com/327/

TaoPhoenix:
Also awful is "and confirmed its presence in bash for an extended period of time".

So this is roughly a second time that I have heard of, (I'm sure there are more) where flaws in otherwise trusted non-Windows Non-Adobe/Java stuff has been sitting on a vulnerability for who knows how long, and the "good guys" only found it in 2014. I mean, I know zero about Linux, but isn't bash one of those "deep core" little items that's been around forever?

(Glancing at the article for snips)
"...has been given the name Shellshock by some"

"this is the sort of exploit that will be lurking around in all various and sundry sorts of software, both local and remote. It's quite common for embedded devices with web-enabled front-ends to shuttle user input back and forth via bash shells, for example -- routers, SCADA/ICS devices, medical equipment, and all sorts of webified gadgets are likely to be exposed."

It's like a war now. "My heart is bleeding, and now I have shellshock." :(

Meanwhile in a tangentially related article I don't have the link to this minute, someone reported that hackers want medical data even more than credit cards now, and it remarked that hospitals don't always have top-notch IT departments. So if someone gets into some medical equipment, that could cause a mess!!
Robin Cook, where are you?
:o

Renegade:
So this is roughly a second time that I have heard of, (I'm sure there are more) where flaws in otherwise trusted non-Windows Non-Adobe/Java stuff has been sitting on a vulnerability for who knows how long, and the "good guys" only found it in 2014. I mean, I know zero about Linux, but isn't bash one of those "deep core" little items that's been around forever?
-TaoPhoenix (September 25, 2014, 06:40 AM)
--- End quote ---

God only knows how many of these are floating out there.

I worked on bada for a while, and I was pretty surprised when it was shelved for Tizen. It had an excellent security model. Pretty much everything was entirely encapsulated to an insane degree.

For example, you couldn't really ever do this:

myVar = SomeFunction(input1, input2);

Instead, you had to do this:

Error myError = SomeFunction(input1, input2, out myVar);

Functions returned only error values, so if things go smooth, you might have "myError" equal to "Error.OK" or something like that.

It allowed for functions to operate as black boxes with error checking already incorporated.

A lot of functions returned booleans, but whatever - same diff - errors are caught.

I checked the exploit above, and it seems rather odd that it was never caught before. One has to wonder who the committers are for some of these.

Navigation

[0] Message Index

[#] Next page