|
Re: Huge bash exploit CVE-2014-6271
My rss server picked the blog update at 10:39am
|
Re: Huge bash exploit CVE-2014-6271
Not sure how that helps, unless your Ubuntu server runs system updates off an RSS blog...
|
Re: Huge bash exploit CVE-2014-6271
it helped to answer 'your' question of when the update came out, sometime around 10am.
|
Re: Huge bash exploit CVE-2014-6271
Still not over...
Further flaws render Shellshock patch ineffective Quote:
List of PoCs for various services Makes you wonder if GCHQ and the NSA are weeping that these have been found :p |
Re: Huge bash exploit CVE-2014-6271
Quote:
---------- Post added at 14:13 ---------- Previous post was at 14:11 ---------- Quote:
Literally thousands upon thousands of companies including high-end tech vendors relying on 'free' software to power their product yet nobody pays any attention to the code or contributes to development until a major flaw is found. Then all of a sudden everyone starts caring and paying attention and dozens upon dozens of ancient flaws come to light... ---------- Post added at 15:43 ---------- Previous post was at 14:13 ---------- Here's something else I'm concerned about - it looks like Ubuntu aren't going to release fixed versions for even their second most recent edition (13.10) or the one before that (13.04) which I expect will leave a lot of vulnerable systems unpatched. Sure, servers should be running LTS but I know a good few that aren't. Redhat on the other hand have just about patched everything released in the last decade. |
Re: Huge bash exploit CVE-2014-6271
But you pay for Redhat while Ubuntu is free.
OpenSuse and Mint have patches for both, whether this secures things remains to be seen. It does highlight a big issue in testing. Most testing works through scenarios to show the program works as expected. It doesn't (and realistically can't) test for it behaving "badly". One way to do that is to give it to a group of children/teens and just let them loose, maybe add a bit of hacking/cracking resource to show what can be done. This won't necessarily cover all the bases but it will cover some of them. Too many times I've seen code released fail because a user does something unexpected that's not catered for, some take great pleasure in trying this. |
Re: Huge bash exploit CVE-2014-6271
Well, I don't pay for RedHat, plus the upstream fixes from RedHat make it into CentOS (which is completely free) as well.
That said I personally (when I used to write software anyway) made a habit of always testing each step or function of everything I wrote with broken or invalid data just to make sure it was fully robust, and also making sure every possible exception thrown gave some sort of human-readable error message. I'm guessing that's also what the security researchers discovering these holes are doing. |
Re: Huge bash exploit CVE-2014-6271
The first two patches do stop those holes being used but the new vulnerability found isn't much different yet does get through. They should really take the plunge and just release a patch which stops Bash parsing the data itself, even if breaks some setups. Not that hard for them to do it for the other versions too.
Bash is ancient so when made no one was thinking about security. Not even sure if the usual automatic fuzzing methods would have found these particular holes, not that they were about back then anyway. |
Re: Huge bash exploit CVE-2014-6271
Some sites that will test urls for various methods of exploiting this:
http://www.shellshocktest.com/ http://shellshock.brandonpotter.com/ http://bashsmash.ccsir.org/ Can't 100% vouch for the trustworthiness of these sites and what they do with the test results, so use of your own back. Don't think there will be any issues using them though. If you are using debian or Ubuntu and are worried doing all the upgrades may break things, you can use this to just update bash: Code:
sudo apt-get update && sudo apt-get install --only-upgrade bash |
Re: Huge bash exploit CVE-2014-6271
Similarly for Redhat/centos:
yum update bash Pretty easy, and tbh, anyone managing any sort of environment where auto-updates aren't feasible should know this stuff off by heart anyway. |
Re: Huge bash exploit CVE-2014-6271
Quote:
|
Re: Huge bash exploit CVE-2014-6271
VMware Bash bulletin, showing which of their products need patching and if they have released the patch
|
Re: Huge bash exploit CVE-2014-6271
Glad most of my employer's products have no CGI in the web interface and no access to BASH without having a level of access to the CLI which gives root on BASH via a standard CLI command anyway.
Still have flappy customers contacting daily asking for patches, naturally, but pointed out that the steady flow of CVEs mean they either wait a couple of days and get one roll-up patch or they have the pleasure of a .3, .4, .5, .6... etc version and disrupt their production networks repeatedly. |
Re: Huge bash exploit CVE-2014-6271
Quote:
Apple finally released their shellshock fix yesterday too, after several days delay, Citrix seems to think it's a non-issue |
Re: Huge bash exploit CVE-2014-6271
Well here's how to do a vulnerable server via XSS. *Sigh*
https://www.cableforum.co.uk/images/...10/1.png:large |
| All times are GMT. The time now is 20:29. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2026, vBulletin Solutions Inc.
All Posts and Content are © Cable Forum