Make sure you update linux and ios!

Subject: Re: Make sure you update linux and ios!

I think you mean MacOS.

Unless your computer provides some service available across the internet, such as a web server, there is no urgency.

Also, don't connect to any unknown wi-fi access points, but you weren't going to do that anyway.

-- Richard

and here's the test:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If that prints "vulnerable" your bash is buggy.

But the first question is: do hackers have a method to exploit on your systems?

In message , Tim Watts writes

No, my first question is: If I have a Linux based router, does bash exist in it, and could someone use this to get inside it? Second question is where do I look for a patch if I need one? Nothing appeared in Mint today when I ran System Update.

I only do "stupid person" questions.

Usually such routers use busybox instead of bash, I doubt that busybox provides bug-for-bug compatibility in cases like this (not that I've checked).

Oh, you mean a self installed distro installed as a router, rather than a flash based openWRT type? almost certain you will have bash, but something needs remotely exploitable way to set a "hooky" environment variable before spawning out to something innocent ... still waiting for centOS to release fixes :-(

Yes. They're already trying. I've seen lots of intersting 'tests' so-far. e.g. trying to run the eject command - I'm sure some syadmins are going to find racks of servers with CD/DVD's wide open soon...

Gordon

En el artículo , Andy Burns escribió:

Patched all our CentOS systems today, from v5.10 to v6.5

hint: 'yum -q update bash'

Result of the above code is:- bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test

My openSUSE systems were patched yesterday, the 24th.

grannies and eggs ;-)

installed version is 3.2-25 latest available update is 3.2-32 fixed version is 3.2-33

I have 100 odd webservers - I have disabled mod_cgi* for tonight.

Nagios is not over screamy (odd service down). We don't have much CGI, mod_php is supposed to not be trivially vulnerable. Most of the systems we have are either tomcat or django, but the latter uses mod_wsgi and I am a little worried about that - need to construct some tests.

I'm not one for be over panicky but if something can be done quickly and easily to mitigate, I will.

I think in reality it's going to need a peculiar combinations of factors and attacks to yield fruit. If you think about it, the "worst" they can do on the surface is run a shell as the web user on your system. The question then is: "how much does that matter?"

In a world of reasonably written web apps that are installed correctly (ie not self-writable script directories) that do not have sensitive data, that might get a DOS at worst or leak some boring stuff.

However, a long long time ago, we had one somewhere I used to work at exactly the same time the ptrace bug came out - that web server got rooted. Very unlucky... So really bad things are not totally impossible.

Debian 7 is fine today too.

Bit annoyed that I have to go to the LTS repos for debian 6...

No, sorry to be unclear. I meant is a standalone router vulnerable, and separately is Mint vulnerabl?.

For the record, I ran the gui check for updates procedure yesterday and updated. I have just run the test code as referred to here and it prints vulnerable This is a test.

I am a complete idiot running Mint, CentOS and Ubuntu on various machines here. There will be others as dumb as me. I assume I have to work out how to patch Mint independently of the normal update procedure.

Embedded type router not likely to run bash, so unlikely

Mint - is the machine reachable from the net? (any ports 80,25,22 etc forwarded to it from your router?)

Does centos have sensible filesystem support now? Trying to use usbs on it with the usual FSes (nt, fat32, ext3, ext4) was a mare.

NT

Must be a lot of lagged mirrors out there, I'd done "yum clean all" about half a dozen times to let it try others, no joy, in the end went straight to mirrorservice.org to get the rpm .-)

Oops. Debian: 'We recommend that you upgrade your bash packages.' Yes, but how on debian based avlinux? Synaptic package manager doesn't show anything of interest, and avlinux info seems pretty much nonexistent. How to determine the version of debian on this?

NT

grepping the last few days access_log for "()" and ":;" only turned up three hits ... one looks whitehat probed us twice, its user agent refers to

another one is a bit less open about what it's doing and who's behind it, but still only seems to be trying to build a list of pings from vulnerable servers, rather than actually exploiting anything.

I don't know if our servers did ping them back or not, but they're patched now, technique seems to be bung the () { :; } function into various HTTP headers hoping they'll end up in environment variables and then some CGI etc spawns a shell ...

In message , Andy Burns writes

Dunno, but one of the IP cameras I'm working with is using port 80 for access.

To make the point again, I am not an expert. I am struggling to remember command line type things, so I rely on the gui implementations. The camera must be running a server of some sort internally. Might it be running Linux? Might I have accessible ports from the router on the machine or some piece of hardware on the system? What about people controlling home automation system from their iPhone - would any of these use specific ports and be running Linux?

I see someone here has queried AVLInux. I'm running that extensively here, too, although not for the last weeks.

If you make sure your apache and tomcat run in a nicely "jailed" environment, then you limit the damage that can be done quite a bit.

quite likely, but again, if it has any shell it's likely to be busybox, rather than bash - so not vulnerable

embedded systems (routers, thermostats, weather stations etc unlikelt to have bash on them)