Linked by Thom Holwerda on Fri 26th Sep 2014 05:00 UTC
Privacy, Security, Encryption

By now you may have heard about a new bug found in the Bash shell. And unless you're a programmer or security expert, you're probably wondering if you should really worry. The short answer is: Don't panic, but you should definitely learn more about it, because you may be in contact with vulnerable devices.

This bug, baptized "Shellshock" by Security Researchers, affects the Unix command shell "Bash," which happens to be one of the most common applications in those systems. That includes any machine running Mac OS X or Linux.

A very simple and straightforward explanation of this major new security issue. The OSNews servers were updated yesterday.

Thread beginning with comment 596916
To read all comments associated with this story, please click here.
Routers
by PhilPotter on Fri 26th Sep 2014 08:02 UTC
PhilPotter
Member since:
2011-06-10

Whilst this is a serious bug no doubt, the only way it could be accessed externally from a router is if someone had an unencrypted telnet port running with no authentication required, or something along those lines. In that instance, they have bigger problems than a little bash bug in my opinion - a port exposed on the WAN interface with which someone can access bash directly. Not good, but otherwise I can't see the fuss here.

Edited 2014-09-26 08:03 UTC

Reply Score: 4

RE: Routers
by bitwelder on Fri 26th Sep 2014 09:25 in reply to "Routers"
bitwelder Member since:
2010-04-27

Another option is if they have the router administration Web UI open on the WAN port, and the webserver allows CGI shell scripts.
But then again, leaving a web admin interface open on the WAN is already a bad idea, security wise.

Reply Parent Score: 7

RE[2]: Routers
by PhilPotter on Fri 26th Sep 2014 10:39 in reply to "RE: Routers"
PhilPotter Member since:
2011-06-10

Good point, but like you say, a nightmare anyway security wise.

Reply Parent Score: 2

RE[2]: Routers
by snorkel2 on Fri 26th Sep 2014 16:56 in reply to "RE: Routers"
snorkel2 Member since:
2007-03-06

The CGI scripts have to be written in bash or another language that spawns a bash shell.
They can't exploit this without a bash script already being present in the cgi-bin directory.
If they have already gained access to put a script in cgi-bin you have bigger problems.

They are making this into a bigger deal than it really is.

Reply Parent Score: 5

RE: Routers
by Soulbender on Fri 26th Sep 2014 12:38 in reply to "Routers"
Soulbender Member since:
2005-08-18

It could also be exploited if you have a web app or similar that runs something with a bash shell. Of course, you should never run anything with a shell and instead use things like exec but that's never stopped people from doing it.

Reply Parent Score: 3

RE: Routers
by ilovebeer on Fri 26th Sep 2014 15:09 in reply to "Routers"
ilovebeer Member since:
2011-08-08

Whilst this is a serious bug no doubt, the only way it could be accessed externally from a router is if someone had an unencrypted telnet port running with no authentication required, or something along those lines. In that instance, they have bigger problems than a little bash bug in my opinion - a port exposed on the WAN interface with which someone can access bash directly. Not good, but otherwise I can't see the fuss here.

You should never underestimate the stupidity of a Linux user much the same as with a Windows user, or any other kind of user who is reckless and/or messes with stuff just because.

Reply Parent Score: 3