And finally we have a Linux 'virus' -- Shellshock, the BASH vulnerabilty.

LoopyByteloose

My primary passion for Linux has been that the hostile hackers of the world have tended to go after XP and Windows products in an effort to get more access due to just having more in use. Asia is a cesspool of Windows hacks, so I have been dodging the majority.

But the latest news is the Bash has a vulnerability that might be serious for servers, maybe even Linux routers. I am not sure there is even an adequate fix at this point. A friend sent me copies of notices from SF LUG that at first claimed the issue was resolved and then retracted that email.

Having a dual boot means that if I must, I can always stay off LInux and use my Windows 7 for on-line browsing. But I am not sure what exactly to do about my Linux router.

So far, it seems my recent shift to Debian might have been lucky. Debian calls DASH, not BASH for its shell applications. It may be that is enough to get by for now.

http://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shellshock-becomes-whack-a-mole/

Heater.

Loopy,

Old news. You missed this thread re: shell shock http://forums.parallax.com/showthread.php/157570-Shellshock’-Threatens-500M-Computers-(Linux-MacOSX)


One should never assume ones operating system in impregnable. Despite how fans shout about the safety of Linux. Security vulnerabilities are bugs. Software has bugs. Ergo you are not safe.

One should never assume no one is interested in getting in to your machine.

Your Linux router running OpenWRT is not susceptible to this hack. OpenWRT uses Ash not Bash. See this OpenWRT discussion:
https://forum.openwrt.org/viewtopic.php?id=52937

The shift to Debian was wise not lucky:)

However Debian was also vulnerable. Debian does not use Dash it uses Bash. Or at least my boxes do:

$ /bin/bash --version 
GNU bash, version 4.3.25(1)-release (x86_64-pc-linux-gnu)

This was already fixed in Debian a day or so ago. A quick "apt-apt update; agt-get upgrade" should do the job for you.

It's interesting to test for the vulnerability before upgrading and again afterwards. See post #9 of the other shell shock thread here that I linked to above.

Relax, this is not news it's history already.

But do keep an eye out for the next possible exploit that will be unearthed at some point.


P.S. Shell shock is not a worry unless an outsider can get to your shellsome how. Seems the shell is used a lot when serving up web pages with CGI. So if you not running a web server you are safe from the main attack vector.

Are there other ways outsiders get to run your shell somehow?

Tor

Actually all my Debian SID boxes forcibly change /bin/sh to point to /bin/dash whenever there's an update related to shells or something bigger. In any case, as many of us prefer to change that back to bash.. it would be a problem. If that box was an externally visible Apache box, and if that box was serving CGI scripts (and the attacker found the URL for those - not too difficult) and if that Apache box had not been set up with fairly standard attack protection (which would have caught this problem too, because the character sequence needed to initiate the attack is common, also for totally different attack vectors). Corporate-type firewalls also tend to have that kind of protection. Because of this the effect of the shellshock problem seems to have not reached the proportions it could have. Because it was incredibly simple to use it against systems that were truly vulnerable.

Your general Linux or Unix box was never vulnerable even if connected to the internet.

In any case, it was quickly fixable. There were more than one fix, but the first one was adequate for blocking the problem until a slightly better fix could be deployed (less than a day later).

And finally, this was absolutely not a virus. It was an attack vector through a vulnerability. There was not something that could spread by "infecting" one machine. And it was not a worm. It was not even a trojan. So systems had to be attacked one-by-one. If there has ever been a real Unix/Linux virus in the wild I've not heard about it.

Heater.

Tor,

Yes, it seems to be a storm in a tea cup.

Certainly this is not a virus, worm or trojan or whatever people like to call these things now a days. However given that allows code to be injected into your system by an outsider it is a potential hole and perhaps it could be developed into such malware. Of course it will be fixed everywhere before that happens.

We have some servers still running Debian 5 (Lenny) that are vulnerable according to the simple test. Hope no one gets in there before our guys can do some fixing on Monday.

Electrodude

With good security (like what you normally find on a server), Shellshock still shouldn't be enough to do any real damage. Just because you have shell access doesn't mean you can actually do anything with it. CGI scripts should (and I'm sure usually do) run in sandboxed environments.