Oct 3, 2014

GNU Bash Shellshock Hits

If your servers can pass both of the following commands, we maybe safe, for now

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
$ env X='() { (a)=>\' bash -c "echo ls"; cat echo

However, I don't think GNU bash as well as other Linux distros can provide a solid patch in up coming few days.

IMO, if we don't limit ourself to bash - which is the default shell in most Linux distros,
we can switch to other shells like C/K/Z shells in the mean time.

bash shellshock based botnets are in the wild.

Bash shell shock is even more dangerous then SSL heartbleed because it will be exploited to the core, a shell of the OS.

As of 2014/10/03, patches for bash shellshocks seem not to resolve to root caues of the bugs. I guess that more and more batches are coming.

See these links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278

--
Best Regards,
Nguyen Hung Vu [aka: NVH] (in Vietnamese: Nguyễn Vũ Hưng, グェン ヒュン ウー, 阮武興)
vuhung16plus{remove}@gmail.dot.com , YIM: vuhung16 , Skype: vuhung16plus, twitter: vuhung, MSN: vuhung16.
vuhung's facebook  Nguyễn Vũ Hưng's blog on Free and Open Source, Blog tiếng Nhật, Vietnamese LibreOffice, Mozilla & Firefox tiếng Việt

Disclaimer: When posted to social networking groups include, but not limited to Linux Users' Groups, Free and Open Sources forums, mailing lists, the above is my personal opinion and is *not* the opinion of my employer(s), associations and/or groups I join.