On Thu, Sep 25, 2014 at 02:58:51PM -0500, Bruce W. Martin wrote: > I am a bit confused about this bug. What is the vector to exploit > this? If I turn off the web server daemon is the only vector then from > those who can log in with appropriate credentials? I have an old RHEL > server that no longer gets updates and a debian server that suddenly > apt-get does not seem to work. I have shit down the debian server and > turned off the web server daemon on the old RHEL box. Does that make > it safe as long as no miscreant can log in via ssh (no telnet daemon > in decades)? The press seems all sensational and says this is worse > than Heartbleed but beyond that there is not much substance in > what I have found so far. I have updated all of my RHEL/CentOS > 5 & 6 boxes and run the test and it says I am clean, for now. > For my MacOS I guess I have to wait for Apple. Can I tell my > Mac users to turn off the web server and wait for the patch > from Apple. Not that I think any of my mac users have turned > on the web server but it is the only thing that I have seen as > a vector short of a login.
Part of the problem is that on any system that has bash as /bin/sh _any_
"system()" style function call goes through it. You could have perl /
python CGIs sitting on a web site but if you can manipulate their
environment and they do a system() you're boned. ssh forcecommands in
~/.ssh/authorized_keys have a similar issue.
There are mitigation strategies for dealing with some of this (see my
previous link which contains said workarounds) but there are also tons
of embedded web servers and such that are going to be exploitable for
many, many weeks / months / years to come.
The media in general is useless and they do so love sensationalism;
whether this is worse than heartbleed, well, gut tells me no. This is,
however, a very serious and credible threat as there are exploits in the
wild against it.
> Comments?
Whomever on vendorsec leaked this should be dragged outside and beaten
with a piece of rebar.
John
--
There is as much difference between us and ourselves as between us and others.
-- Michel de Montaigne (1533-1592) French essayist, lawyer, and politician
pgp7_57p2fHCL.pgp
Description: PGP signature
