[TriLUG] Fwd: [ NNSquad ] Bug in Bash shell creates big security hole on anything with *nix in it

Steve Holton sph0lt0n at gmail.com
Wed Sep 24 18:37:21 EDT 2014


Quick summary:

There is an easy test to determine if a Linux or Unix system is vulnerable.
> To check your system, from a command line, type:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> If the system is vulnerable, the output will be:
> vulnerable
>  this is a test
> An unaffected (or patched) system will output:
> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>  bash: warning: x: ignoring function definition attempt
>  bash: error importing function definition for `x'
>  this is a test
> The fix is an update to a patched version of the Bash shell. To be safe,
> administrators should do a blanket update of their versions of Bash in any
> case.



---------- Forwarded message ----------
From: Lauren Weinstein <lauren at vortex.com>
Date: Wed, Sep 24, 2014 at 6:02 PM
Subject: [ NNSquad ] Bug in Bash shell creates big security hole on
anything with *nix in it
To: nnsquad at nnsquad.org



Bug in Bash shell creates big security hole on anything with *nix in it
Could allow attackers to execute code on Linux, Unix, and Mac OS X

(Ars):
http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/

   "The bug, discovered by Stephane Schazelas, is related to how Bash
    processes environmental variables passed by the operating system or by
    a program calling a Bash-based script. If Bash has been configured as
    the default system shell, it can be used by network-based attackers
    against servers and other Unix and Linux devices via Web requests,
    secure shell, telnet sessions, or other programs that use Bash to
    execute scripts."

 - - -

--Lauren--
Lauren Weinstein (lauren at vortex.com): http://www.vortex.com/lauren
Founder:
 - Network Neutrality Squad: http://www.nnsquad.org
 - PRIVACY Forum: http://www.vortex.com/privacy-info
Co-Founder: People For Internet Responsibility:
http://www.pfir.org/pfir-info
Member: ACM Committee on Computers and Public Policy
I am a consultant to Google -- I speak only for myself, not for them.
Lauren's Blog: http://lauren.vortex.com
Google+: http://google.com/+LaurenWeinstein
Twitter: http://twitter.com/laurenweinstein
Tel: +1 (818) 225-2800 / Skype: vortex.com
_______________________________________________
nnsquad mailing list
http://lists.nnsquad.org/mailman/listinfo/nnsquad



-- 
Steve Holton
sph0lt0n at gmail.com


More information about the TriLUG mailing list