GNU Bash Shellshock Hits

If your servers can pass both of the following commands, we maybe safe, for now

$ env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
$ env X='() { (a)=>’ bash -c "echo ls"; cat echo

However, I don’t think GNU bash as well as other Linux distros can provide a solid patch in up coming few days.

IMO, if we don’t limit ourself to bash – which is the default shell in most Linux distros,
we can switch to other shells like C/K/Z shells in the mean time.

bash shellshock based botnets are in the wild.

Bash shell shock is even more dangerous then SSL heartbleed because it will be exploited to the core, a shell of the OS.

As of 2014/10/03, patches for bash shellshocks seem not to resolve to root caues of the bugs. I guess that more and more batches are coming.

See these links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278

Advertisements

Trả lời

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập:

WordPress.com Logo

Bạn đang bình luận bằng tài khoản WordPress.com Đăng xuất / Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Đăng xuất / Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Đăng xuất / Thay đổi )

Google+ photo

Bạn đang bình luận bằng tài khoản Google+ Đăng xuất / Thay đổi )

Connecting to %s