New 'Bash' software bug may pose bigger threat than 'Heartbleed'


#1

(Reuters) - A newly discovered security bug in a widely used piece of Linux software, known as “Bash,” could pose a bigger threat to computer users than the “Heartbleed” bug that surfaced in April, cyber experts warned on Wednesday.


#2

Yes this is a real bad exploit, make sure to update your repo’s etc. for your routers and hubs then that’s another matter. Cheers for posting (latest ubuntu machines seem OK).


#3

"Tavis Ormandy, a Google Inc (GOOG.O) security researcher, said via Twitter that the patches seemed “incomplete.” Ormandy could not be reached to elaborate, but several security experts said a brief technical comment provided on Twitter raised concerns.

“That means some systems could be exploited even though they are patched,” said Chris Wysopal, chief technology officer with security software maker Veracode."

Gonna have to keep a close eye on this as it develops…


#4

Everything you need to know about the Shellshock Bash bug

Introduction:

Remember Heartbleed? If you believe the hype today, Shellshock is in that league and with an equally awesome name albeit bereft of a cool logo (someone in the marketing department of these vulns needs to get on that). But in all seriousness, it does have the potential to be a biggie and as I did with Heartbleed, I wanted to put together something definitive both for me to get to grips with the situation and for others to dissect the hype from the true underlying risk.


#5

Notes:

  • The following relates to personal computers running Linux (but note many Windows machines will have bash installed as part of other packages).
  • Websites and Routers (because many routers have a built in web server) - may also be vulnerable, so don’t forget to test / patch those if you manage any.

How to patch Shellshock bash security hole

If you are on the standard update channel, this will be enough, but run the test afterwards to check:

sudo apt-get update && sudo apt-get upgrade

To test, run:

env x=’() { :;}; echo vulnerable’ bash -c “echo this is a test”

And if you get these errors you’re ok:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

If you have built MaidSafe

If you are building MaidSafe you have probably disabled security updates by messing with the repos, in which case the above will not work.

The following works on Ubuntu 14.04 (tested on Odroid-U3) and Linux Mint Debian Edition (LMDE).

sudo -i
mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz

#download all patches

for i in $(seq -f “%03g” 0 25); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3

#apply all patches

for i in $(seq -f “%03g” 0 25);do patch -p0 < …/bash43-$i; done

#build and install

./configure && make && make install
cd …
cd …
rm -r src

Then run:

env x=’() { :;}; echo vulnerable’ bash -c “echo this is a test”

And if you get these errors you’re ok:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

Credits:


#6

Shellshock not so bad after all - for Debian & Ubuntu - UPDATE

Debian & Ubuntu default non-interactive shell (/bin/sh) is dash, so not vulnerable except for rare situations - http://www.dwheeler.com/essays/shellshock.html