UNIX/Linux/MacOS X bash Major Security Hole

Newtun

Storage is nice, especially if it doesn't rotate
Joined
Nov 21, 2002
Messages
492
Location
Virginia
3 articles:

http://arstechnica.com/security/2014...with-nix-in-it

http://www.zdnet.com/unixlinux-bash-...red-7000034021

http://www.theregister.co.uk/2014/09/24/bash_shell_vuln


From the boffins at The Register, "A bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems – and, thanks to their ubiquity, the wider internet.It lands countless websites, servers, PCs, OS X Macs, various home routers, and more, in danger of hijacking by hackers".
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,302
Location
I am omnipresent
Updated binaries are already coming online.
As I understand it, the issue is that the OSes in question are set up with environment variables that invoke /bin/bash. It's not simply a problem of someone somehow remotely invoking a shell script; the systems will probably do it on their own as normal operation. Even the most attentive admin in the world probably never went back and re-wrote those scripts for ksh or zsh.

I suspect this is going to be a problem for networked appliances and embedded systems for years to come.
 

CougTek

Hairy Aussie
Joined
Jan 21, 2002
Messages
8,729
Location
Québec, Québec
Hmmm...so ESXi must be affected to. We have several setups running on this at many customers' locations.

All the servers I maintain at the office run on Server 2012 R2, so I'm clear on this one. Except my two VM that only crunch FAH units. I'll update them during the week-end if a fix becomes available.
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,358
Location
Gold Coast Hinterland, Australia
This one actually made the morning news show here in Oz... Except it was completely incorrect (noting all systems including windows were affected), that AV will pick up malicious actions, etc...

But it was nice to see most Linux distro's packaging the fix very rapidly... (All our systems at work were patched yesterday, not that any affected systems were internet facing).

Like Merc mentions, this will be a problem with lots of embedded devices, and I wonder how many el-cheapo (and not so cheap) web hosting services are going to be hit as well, since you're relying on their admins to patch the system?
 
Top