FWIS3

I know what you're thinking: "Of course a command shell is vulnerable, that's why you don't provide remote access to it."

Unfortunately, on Linux, web services and other stuff depend on the command shell being secure...

http://seclists.org/oss-sec/2014/q3/650
http://unix.stackexchange.com/questions ... shellshock

Anything that exports an environment variable can force the bash command shell to execute arbitrary code upon loading that variable. And lots and lots and lots of software uses environment variables. So lots and lots and lots of software suddenly has massive remote vulnerabilities; because the local program that provides the command line interface, and should never even be accessible from a web service, does something that it should be pretty much expected to do.

But remember, folks, this is the World's Most Robust OS.

(However, expect squid to step in and correct me in 3... 2... 1...)

Wonderful

You can't be that confident about what you're saying if you expect to be corrected

If Linux is the world's most robust OS then I'm a hungarian parking attendant.

O, te is magyar vagy? Nagyszeru!

squ1d wrote:You can't be that confident about what you're saying if you expect to be corrected

It's become a bit of a pattern lately...

If Linux is the world's most robust OS then I'm a hungarian parking attendant.

"I saw it on a website with 'Business' in its name, so it must be true!"

http://www.businessinsider.com/linus-to ... 014-6?op=1

Edit: more seriously, I've found the Linux kernel quite reliable (despite all my complaints) but I still see a lot of ridiculous hype about how awesome Linux is.

There is a disturbing trend of people writing about shit they have no clue about but coming off as experts to the unwary.
Problem is of course many get suckered till they find out the facts.
Others however just read the garbage, take it as gospel then regurgitate the same false information, sometimes getting paid to do it.

e.g. The Free XP on windows 8 topic. One guy found a way to get XP running on Windows 8, but, it's free for a month then you have to activate it.
Regardless of the amount of people I've found that have proven this is the case, they just keep repeating the same shit everywhere.
Then there are discussion of how it comes with a key...but the key doesn't work.

NIST gave it a rating of 10.0 can't get any worse than that.

On top of that, the patches provided don't fix the whole thing there's a new NIST advisory about it.

This IS a big one, and I agree It's much worse than Heartbleed.

Why is it much worse?

because unlike Heartbleed it's a lot easier to exploit and affects as many or more systems as Heartbleed

@FZ: Ha, irony! "Shit I have no clue about" probably describes 90% of my posts on web forums.

(More seriously, there is not a single day at work when I actually really feel like I know what I'm doing. It's all entirely by the seat of my pants, all day, every day. The only thing I'm an expert at is Googling.)

@Sigma: yeah, I saw that. For the moment we're all SOL. Sigh.

Just remember, it's not always fluff. Sometimes you might hit one that's true.
about 10% or less of the time

According to Sigma, this one may just be real.

Fortunately none of my Internet facing stuff has any stuff that needs BASH on it. My web servers either run IIS or Weblogic,
I'm waiting for the BASH developers to make a good enough fix and then it's patching time for at least 20 servers. MEH.

Rommie wrote:O, te is magyar vagy? Nagyszeru!

Ai don sink zo!

I love where this vulnerability crops up though. I mean, web servers! DHCP clients! Wow!

It's only one of the primary rules of UNIX security that you never ever hand unsanitized data from untrusted sources off to the command shell, because the shell may be fooled into doing anything with it. I have a book on shell scripting with a whole chapter basically devoted to this, and you can find documentation about it everywhere, e.g. Perl textbooks telling you to use

system qw(/path/to/command arg1 arg2 ...)

instead of

system("/path/to/command arg1 arg2 ...")

in privileged scripts, because the latter runs the command via the shell, which usually means someone could get an interactive root shell with a little cleverness.

The "shellshock" vulnerability is that bash can be made to execute stuff in an environment variable. But to export an environment variable to bash, you have to actually run bash. Which a web server should never do by design, but Apache (on UNIX) does just that apparently.

The circus continues:

http://seclists.org/oss-sec/2014/q3/741

Fedora 20 is not vulnerable to the new variant. Ubuntu 12.04 is. Not sure yet about 14.04.

@Sigma, I hope you have some antacids on hand... As for me, I'm thinking maybe I should train for a different job. I hear that goat herding isn't bad...

Most of my stuff is patched already, still looking for a maintenance window for my VMWARE hosts, because patching the command interpreter requires a reboot