The IBM HMC appliance is completely vulnerable, you can switch to root after the exploit, normally locked out since all users have pesh as their shell and can't even su or run bash.
Means you can amongst other things, totally destroy an LPAR or even trash the frames that HMC administers.
Of course, you'd need to get to the HMC first...
- Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
- Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Reply to: Anyone use bash?
Collapse
You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:
- You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
- You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
- If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.
Logging in...
Previously on "Anyone use bash?"
Collapse
-
Originally posted by NickFitz View PostApple now has a patch for OS X. I assume it will appear in Software Update soon, but if you can't wait, this post has links: https://applespotlight.com/2014/09/2...vulnerability/
Leave a comment:
-
-
Originally posted by NickFitz View PostApple now has a patch for OS X. I assume it will appear in Software Update soon, but if you can't wait, this post has links: https://applespotlight.com/2014/09/2...vulnerability/
Leave a comment:
-
Apple now has a patch for OS X. I assume it will appear in Software Update soon, but if you can't wait, this post has links: https://applespotlight.com/2014/09/2...vulnerability/
Leave a comment:
-
upgraded my servers from 11 to 14 today.
4 hours in total so not too bad a hit.
I think I might go and have a pint now.
Leave a comment:
-
Originally posted by NickFitz View PostIIRC the default package manager for Ubuntu is apt-get, butodd-numbered releasesremoved: turns out they've made it even more recondite than that don't get long term support so
Code:sudo apt-get update && sudo apt-get install --only-upgrade bash
It looks like the alternative is to upgrade bash from source: having made sure the system is backed up, follow the instructions in the accepted answer at linux - How do I patch the shellshock vulnerability on an obsolete Ubuntu system that I can't upgrade? - Super User
If practicable, you should consider updating the box to either the current stable release, or at least to 12 which gets maintained for five years, taking you up to April 2017.
Maybe it is about time I upgraded though.
Leave a comment:
-
Originally posted by minestrone View PostHow does one go about fixing this, if it does need fixing.
I'm running Ubuntu 11.04 with Apache/2.2.17 which has some virtual hosts to do reverse lookups to tomcat servers. No other purpose.
Is CGI enabled by default on apache2?
running...
env X="() { :;} ; echo busted" `which bash` -c "echo completed"
gives me
busted
completed
Cheers for any helpodd-numbered releasesremoved: turns out they've made it even more recondite than that don't get long term support so
Code:sudo apt-get update && sudo apt-get install --only-upgrade bash
It looks like the alternative is to upgrade bash from source: having made sure the system is backed up, follow the instructions in the accepted answer at linux - How do I patch the shellshock vulnerability on an obsolete Ubuntu system that I can't upgrade? - Super User
If practicable, you should consider updating the box to either the current stable release, or at least to 12 which gets maintained for five years, taking you up to April 2017.Last edited by NickFitz; 26 September 2014, 14:50.
Leave a comment:
-
How does one go about fixing this, if it does need fixing.
I'm running Ubuntu 11.04 with Apache/2.2.17 which has some virtual hosts to do reverse lookups to tomcat servers. No other purpose.
Is CGI enabled by default on apache2?
running...
env X="() { :;} ; echo busted" `which bash` -c "echo completed"
gives me
busted
completed
Cheers for any help
Leave a comment:
-
Originally posted by DaveB View PostThe problem is that because the open source model is meant to ensure that code is peer reviewed by the open source community there is a tendency for people to assume that someone else has done the reviewing and that it must be ok because so many people are using it.
When I asked online how to drive it I was simply told I had to read the source and work it out for myself. Ha. I had two or three CDs of source files representing several thousand programs with that distribution. Was I supposed to read and understand the sources of everything there?
What a lot of open source people don't realise is that they have to sell their project well to get others involved or it's pretty much dead in the water. There isn't even the attraction of earning some cash.
Originally posted by DaveB View PostThis is essentially what happened with Heartbleed. Only two people actually reviewed the code for Open SSL. And they were the guy who wrote it and the guy who managed the repository for it. Everyone else just went "Ooh, cryptography stuff, thats too complicated for me, I'll just assume someone else has looked at it."
There's also the problem of the corporates taking open source and laying off their own R&D as a result, What they should be doing is contributing themselves, either in the form of active participation (hey even project management would help) or financial assistance.
Leave a comment:
-
Originally posted by Contreras View PostTo check if your system is affected, this code will print "safe" or "unsafe" against the shellshock vulnerability:
Code:~$ env x='() { :;}; echo -n un' bash -c "echo safe" unsafe
Code:~$ env x='() { :;}; echo -n un' bash -c "echo safe" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' safe
Code:~$ env x='() { :;}; echo -n un' bash -c "echo safe" safe
You mean Squeeze and Wheezy I take it...
Ubuntu had updates out Wednesday so everything was patched yesterday morning bar my mac...
Asus routers don't use Bash so not to worry there....
Leave a comment:
- Home
- News & Features
- First Timers
- IR35 / S660 / BN66
- Employee Benefit Trusts
- Agency Workers Regulations
- MSC Legislation
- Limited Companies
- Dividends
- Umbrella Company
- VAT / Flat Rate VAT
- Job News & Guides
- Money News & Guides
- Guide to Contracts
- Successful Contracting
- Contracting Overseas
- Contractor Calculators
- MVL
- Contractor Expenses
Advertisers
Contractor Services
CUK News
- Streamline Your Retirement with iSIPP: A Solution for Contractor Pensions Sep 1 09:13
- Making the most of pension lump sums: overview for contractors Sep 1 08:36
- Umbrella company tribunal cases are opening up; are your wages subject to unlawful deductions, too? Aug 31 08:38
- Contractors, relabelling 'labour' as 'services' to appear 'fully contracted out' won't dupe IR35 inspectors Aug 31 08:30
- How often does HMRC check tax returns? Aug 30 08:27
- Work-life balance as an IT contractor: 5 top tips from a tech recruiter Aug 30 08:20
- Autumn Statement 2023 tipped to prioritise mental health, in a boost for UK workplaces Aug 29 08:33
- Final reminder for contractors to respond to the umbrella consultation (closing today) Aug 29 08:09
- Top 5 most in demand cyber security contract roles Aug 25 08:38
- Changes to the right to request flexible working are incoming, but how will contractors be affected? Aug 24 08:25
Leave a comment: