Originally posted by administrator
View Post
- Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
- Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Linux bash vulnerability
Collapse
X
Collapse
-
Knock first as I might be balancing my chakras. -
Twenty-two years? I heard it was at least twenty-five, though I haven't bothered going through the old source code to check
CGI isn't your only worry. An appropriately-crafted DHCP packet is just one of many other examples of how to gain privileged access to a vulnerable system.
CGI is the most commonly seen example at the moment because it's the easiest way to demonstrate the vulnerability; but it is just an example, not the be-all and end-all. Any report that characterises this as something to do specifically with web servers has completely missed the point.Comment
-
Originally posted by administrator View PostAye, as I understand it on Ubuntu dash is the default but bash is still there. But best ask Suity, he is the expert on these thingsComment
-
Originally posted by NickFitz View PostTwenty-two years? I heard it was at least twenty-five, though I haven't bothered going through the old source code to check
CGI isn't your only worry. An appropriately-crafted DHCP packet is just one of many other examples of how to gain privileged access to a vulnerable system.
CGI is the most commonly seen example at the moment because it's the easiest way to demonstrate the vulnerability; but it is just an example, not the be-all and end-all. Any report that characterises this as something to do specifically with web servers has completely missed the point.Knock first as I might be balancing my chakras.Comment
-
Originally posted by suityou01 View PostUbuntu and Debian flavours are unaffected.
Code:root@placid:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test
Code:root@tyrant:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable vulnerable this is a test
Code:root@tyrant:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
Code:root@chill:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test
Code:root@chill:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
Comment
-
Ubuntu and other Debian-derived systems that use Dash exclusively are not at risk – Dash isn't vulnerable, but busted versions of Bash may well be present on the systems anyway. It's essential you check the shell interpreters you're using, and any Bash packages you have installed, and patch if necessary.Knock first as I might be balancing my chakras.Comment
-
Originally posted by administrator View PostNot true. Here's the output from one of my machines - Ubuntu 10.04:
Code:root@placid:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test
Code:root@tyrant:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable vulnerable this is a test
Code:root@tyrant:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
Code:root@chill:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test
Code:root@chill:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
Too new-fangled for me....Comment
-
Originally posted by suityou01 View PostOk so you're sounding more scared now the enormity is sinking in.Comment
-
If DHCP and Macs are affected, thats going to be a problem for some creative/digital businesses.
All it would take is a worm to set up rogue DHCP servers on each infected host and it would be a fast spreading Denial of service infection akin to Blaster or SQL Slammer.
I imagine businesses running mainly Macs are also going to take a relaxed approach to endpoint security, since its commonfolkloreknowledge "Macs dont get viruses"Comment
-
Originally posted by suityou01 View PostUnless of course you installed bash. Or it was rolled out alongside something else.
Like.Comment
- Home
- News & Features
- First Timers
- IR35 / S660 / BN66
- Employee Benefit Trusts
- Agency Workers Regulations
- MSC Legislation
- Limited Companies
- Dividends
- Umbrella Company
- VAT / Flat Rate VAT
- Job News & Guides
- Money News & Guides
- Guide to Contracts
- Successful Contracting
- Contracting Overseas
- Contractor Calculators
- MVL
- Contractor Expenses
Advertisers
Contractor Services
CUK News
- Streamline Your Retirement with iSIPP: A Solution for Contractor Pensions Sep 1 09:13
- Making the most of pension lump sums: overview for contractors Sep 1 08:36
- Umbrella company tribunal cases are opening up; are your wages subject to unlawful deductions, too? Aug 31 08:38
- Contractors, relabelling 'labour' as 'services' to appear 'fully contracted out' won't dupe IR35 inspectors Aug 31 08:30
- How often does HMRC check tax returns? Aug 30 08:27
- Work-life balance as an IT contractor: 5 top tips from a tech recruiter Aug 30 08:20
- Autumn Statement 2023 tipped to prioritise mental health, in a boost for UK workplaces Aug 29 08:33
- Final reminder for contractors to respond to the umbrella consultation (closing today) Aug 29 08:09
- Top 5 most in demand cyber security contract roles Aug 25 08:38
- Changes to the right to request flexible working are incoming, but how will contractors be affected? Aug 24 08:25
Comment