Re: Shellshock: 'Deadly serious' new vulnerability found

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: Shellshock: 'Deadly serious' new vulnerability found

WaltS48
On 09/25/2014 10:08 AM, Charles Lindbergh wrote:
> Affecting anything using Bash, e.g. Routers, MAC, Linux, etc.
>
> Shellshock: 'Deadly serious' new vulnerability found
>
> http://www.bbc.com/news/technology-29361794
>


Don't know about my router, but I checked my system and it is OK.

--
Sponsored by Firefox 33.0b7 and Thunderbird 31.1.2
GO Bucs, Steelers, Pitt, Pens, Bills and Sabres!
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Shellshock: 'Deadly serious' new vulnerability found

Dave Warren-2
In the last episode of <[hidden email]>, David Hume
<[hidden email]> said:

>WaltS48 <[hidden email]> writes:
>
>> On 09/25/2014 10:08 AM, Charles Lindbergh wrote:
>>> Affecting anything using Bash, e.g. Routers, MAC, Linux, etc.
>>>
>>> Shellshock: 'Deadly serious' new vulnerability found
>>>
>>> http://www.bbc.com/news/technology-29361794
>>>
>>
>>
>> Don't know about my router, but I checked my system and it is OK.
>
>What system are you using?

I primarily run FreeBSD, and Windows. While I have a couple Linux boxes
that are theoretically exploitable, there's no access to bash from any
remote site/service, so the odds of a successful exploit are very low.

Others will have different luck.
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
RM
Reply | Threaded
Open this post in threaded view
|

Re: Shellshock: 'Deadly serious' new vulnerability found

RM
In reply to this post by WaltS48
Charles Lindbergh decreed, Read These Runes!:

> On Thu, 25 Sep 2014 10:18:21 -0400, WaltS48 <[hidden email]> wrote:
>
>>On 09/25/2014 10:08 AM, Charles Lindbergh wrote:
>>> Affecting anything using Bash, e.g. Routers, MAC, Linux, etc.
>>>
>>> Shellshock: 'Deadly serious' new vulnerability found
>>>
>>> http://www.bbc.com/news/technology-29361794
>>>
>>
>>
>>Don't know about my router, but I checked my system and it is OK.
>
>
> How did you "check" your system?

Couple of test cases here:

http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

--
"I used to think that the brain was the most wonderful organ in my
body.  Then I realized who was telling me this."
                -- Emo Phillips
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Shellshock: 'Deadly serious' new vulnerability found

David E. Ross-3
In reply to this post by WaltS48
On 9/25/2014 7:08 AM, Charles Lindbergh wrote:
> Affecting anything using Bash, e.g. Routers, MAC, Linux, etc.
>
> Shellshock: 'Deadly serious' new vulnerability found
>
> http://www.bbc.com/news/technology-29361794
>

From what I have read, this can affect firmware in routers.  Does anyone
know which routers are affected?

--
David E. Ross

I am sticking with SeaMonkey 2.26 until saved passwords can
be used when autocomplete=no.  See
<https://bugzilla.mozilla.org/show_bug.cgi?id=1064639>.
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Shellshock: 'Deadly serious' new vulnerability found

Ed Mullen-9
David E. Ross wrote:

> On 9/25/2014 7:08 AM, Charles Lindbergh wrote:
>> Affecting anything using Bash, e.g. Routers, MAC, Linux, etc.
>>
>> Shellshock: 'Deadly serious' new vulnerability found
>>
>> http://www.bbc.com/news/technology-29361794
>>
>
>  From what I have read, this can affect firmware in routers.  Does anyone
> know which routers are affected?
>

Did a few searches and found little of use.

Solution?

OMIGOD!!! RUN AROUND!!!  SMACK MY FACE INTO THE WALL!!!  UNPLUG
EVERYTHING IN THE HOUSE FROM THE INTERNET!!!

Sigh.

Since 1982 I have had exacgty ONE infection.  Back when protections were
scant, probably around 1990 or so.  Took me about an hour to get rid of it.

I take security seriously but it gets old when every time something like
this comes out all of these "omigodtheworldisending!" articles come out.

--
Ed Mullen
http://edmullen.net/
Artificial intelligence is no match for natural stupidity
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Shellshock: 'Deadly serious' new vulnerability found

WaltS48
In reply to this post by WaltS48
On 09/25/2014 10:28 AM, David Hume wrote:

> WaltS48 <[hidden email]> writes:
>
>> On 09/25/2014 10:08 AM, Charles Lindbergh wrote:
>>> Affecting anything using Bash, e.g. Routers, MAC, Linux, etc.
>>>
>>> Shellshock: 'Deadly serious' new vulnerability found
>>>
>>> http://www.bbc.com/news/technology-29361794
>>>
>>
>>
>> Don't know about my router, but I checked my system and it is OK.
>
> What system are you using?
>


openSUSE 13.1 Linux

--
Sponsored by Firefox 33.0b7 and Thunderbird 31.1.2
GO Bucs, Steelers, Pitt, Pens, Bills and Sabres!
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Shellshock: 'Deadly serious' new vulnerability found

WaltS48
In reply to this post by WaltS48
On 09/25/2014 10:36 AM, Charles Lindbergh wrote:

> On Thu, 25 Sep 2014 10:18:21 -0400, WaltS48 <[hidden email]> wrote:
>
>> On 09/25/2014 10:08 AM, Charles Lindbergh wrote:
>>> Affecting anything using Bash, e.g. Routers, MAC, Linux, etc.
>>>
>>> Shellshock: 'Deadly serious' new vulnerability found
>>>
>>> http://www.bbc.com/news/technology-29361794
>>>
>>
>>
>> Don't know about my router, but I checked my system and it is OK.
>
>
> How did you "check" your system?
>


Used the code from this article in Konsole.

[Bash Bug “Shellshock” Is as Large an Issue as Heartbleed -
Softpedia](http://news.softpedia.com/news/Bash-Bug-Shellshock-Is-As-Large-An-Issue-As-Heartbleed-459913.shtml)


--
Sponsored by Firefox 33.0b7 and Thunderbird 31.1.2
GO Bucs, Steelers, Pitt, Pens, Bills and Sabres!
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Shellshock: 'Deadly serious' new vulnerability found

»Q«
In reply to this post by Ed Mullen-9
In <news:[hidden email]>,
Charles Lindbergh <[hidden email]> wrote:

> On Thu, 25 Sep 2014 18:33:08 -0500, Ed Mullen <[hidden email]>
> wrote:
>
> >David E. Ross wrote:
> >> On 9/25/2014 7:08 AM, Charles Lindbergh wrote:
> >>> Affecting anything using Bash, e.g. Routers, MAC, Linux, etc.
> >>>
> >>> Shellshock: 'Deadly serious' new vulnerability found
> >>>
> >>> http://www.bbc.com/news/technology-29361794
> >>
> >>  From what I have read, this can affect firmware in routers.  Does
> >> anyone know which routers are affected?
> >>
> >
> >Did a few searches and found little of use.
> >
> >Solution?
> >
> >OMIGOD!!! RUN AROUND!!!  SMACK MY FACE INTO THE WALL!!!  UNPLUG
> >EVERYTHING IN THE HOUSE FROM THE INTERNET!!!
> >
> >Sigh.
> >
> >Since 1982 I have had exacgty ONE infection.  Back when protections
> >were scant, probably around 1990 or so.  Took me about an hour to
> >get rid of it.
> >
> >I take security seriously but it gets old when every time something
> >like this comes out all of these "omigodtheworldisending!" articles
> >come out.
>
> Not everyone is a low risk, home user.  Some of us have significant
> exposure if our systems are breached.

I don't have links, but I've read over the past few months that the
cost/reward ratio of going after home users has gotten so low that bad
guys are going after home routers.

Anyway, I'd contact the manufacturer(s) to see if there's a firmware
update either available or in the works.
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Shellshock: 'Deadly serious' new vulnerability found

Dave Warren-2
In reply to this post by Dave Warren-2
In the last episode of <[hidden email]>, David Hume
<[hidden email]> said:

>I get the impression from the article below that this can be exploited
>from an application. I imagine that could include a web browser which
>calls, for example, an application via bash to render PDF. I am just
>guessing. It doesn't give examples.

It's not technically impossible, but it still requires something to run
bash that itself is remotely accessible/exploitable in some fashion.

My Linux boxes have no such thing.
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Shellshock: 'Deadly serious' new vulnerability found

J.B.Treadstone
In reply to this post by WaltS48
On Thu, 25 Sep 2014 14:36:58 +0000, Charles Lindbergh wrote:

> On Thu, 25 Sep 2014 10:18:21 -0400, WaltS48 <[hidden email]>
> wrote:
>
>>On 09/25/2014 10:08 AM, Charles Lindbergh wrote:
>>> Affecting anything using Bash, e.g. Routers, MAC, Linux, etc.
>>>
>>> Shellshock: 'Deadly serious' new vulnerability found
>>>
>>> http://www.bbc.com/news/technology-29361794
>>>
>>>
>>
>>Don't know about my router, but I checked my system and it is OK.
>
>
> How did you "check" your system?

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If that prints "vulnerable" your bash is buggy.

Mine returns:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x' this is a test

So the system is ok.

--
openSUSE 13.1 64-bit


_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Shellshock: 'Deadly serious' new vulnerability found

Wolf K.
In reply to this post by WaltS48
On 2014-09-25 10:08 AM, Charles Lindbergh wrote:
> Affecting anything using Bash, e.g. Routers, MAC, Linux, etc.
>
> Shellshock: 'Deadly serious' new vulnerability found
>
> http://www.bbc.com/news/technology-29361794

NYT has caught up:
http://www.nytimes.com/2014/09/26/nyregion/family-fights-health-care-system-for-simple-request-to-die-at-home.html

"Shellshock was not discovered for 22 years"

Have a good day,

--
Best,
Wolf K.
kirkwood40.blogspot.ca
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Shellshock: 'Deadly serious' new vulnerability found

Wolf K.
On 2014-09-26 9:53 AM, Wolf K. wrote:

> On 2014-09-25 10:08 AM, Charles Lindbergh wrote:
>> Affecting anything using Bash, e.g. Routers, MAC, Linux, etc.
>>
>> Shellshock: 'Deadly serious' new vulnerability found
>>
>> http://www.bbc.com/news/technology-29361794
>
> NYT has caught up:
> http://www.nytimes.com/2014/09/26/nyregion/family-fights-health-care-system-for-simple-request-to-die-at-home.html
>
>
> "Shellshock was not discovered for 22 years"
>
> Have a good day,


Ooops, sorry, wrong URL. Try this one instead:
http://www.nytimes.com/2014/09/26/technology/security-experts-expect-shellshock-software-bug-to-be-significant.html

Although you might want to read the other article, too.

Have a good day,

--
Best,
Wolf K.
kirkwood40.blogspot.ca
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Shellshock: 'Deadly serious' new vulnerability found

caver1-5
On 09/26/2014 10:15 AM, Wolf K. wrote:

> On 2014-09-26 9:53 AM, Wolf K. wrote:
>> On 2014-09-25 10:08 AM, Charles Lindbergh wrote:
>>> Affecting anything using Bash, e.g. Routers, MAC, Linux, etc.
>>>
>>> Shellshock: 'Deadly serious' new vulnerability found
>>>
>>> http://www.bbc.com/news/technology-29361794
>>
>> NYT has caught up:
>> http://www.nytimes.com/2014/09/26/nyregion/family-fights-health-care-system-for-simple-request-to-die-at-home.html
>>
>>
>> "Shellshock was not discovered for 22 years"
>>
>> Have a good day,
>
>
> Ooops, sorry, wrong URL. Try this one instead:
> http://www.nytimes.com/2014/09/26/technology/security-experts-expect-shellshock-software-bug-to-be-significant.html
>
> Although you might want to read the other article, too.
>
> Have a good day,
>

:O :)

--
Caver1
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Shellshock: 'Deadly serious' new vulnerability found

David E. Ross-3
In reply to this post by »Q«
On 9/25/2014 10:14 PM, »Q« wrote:

> In <news:[hidden email]>,
> Charles Lindbergh <[hidden email]> wrote:
>
>> On Thu, 25 Sep 2014 18:33:08 -0500, Ed Mullen <[hidden email]>
>> wrote:
>>
>>> David E. Ross wrote:
>>>> On 9/25/2014 7:08 AM, Charles Lindbergh wrote:
>>>>> Affecting anything using Bash, e.g. Routers, MAC, Linux, etc.
>>>>>
>>>>> Shellshock: 'Deadly serious' new vulnerability found
>>>>>
>>>>> http://www.bbc.com/news/technology-29361794
>>>>
>>>>  From what I have read, this can affect firmware in routers.  Does
>>>> anyone know which routers are affected?
>>>>
>>>
>>> Did a few searches and found little of use.
>>>
>>> Solution?
>>>
>>> OMIGOD!!! RUN AROUND!!!  SMACK MY FACE INTO THE WALL!!!  UNPLUG
>>> EVERYTHING IN THE HOUSE FROM THE INTERNET!!!
>>>
>>> Sigh.
>>>
>>> Since 1982 I have had exacgty ONE infection.  Back when protections
>>> were scant, probably around 1990 or so.  Took me about an hour to
>>> get rid of it.
>>>
>>> I take security seriously but it gets old when every time something
>>> like this comes out all of these "omigodtheworldisending!" articles
>>> come out.
>>
>> Not everyone is a low risk, home user.  Some of us have significant
>> exposure if our systems are breached.
>
> I don't have links, but I've read over the past few months that the
> cost/reward ratio of going after home users has gotten so low that bad
> guys are going after home routers.
>
> Anyway, I'd contact the manufacturer(s) to see if there's a firmware
> update either available or in the works.
>

I have a Netgear router that Netgear claims is beyond end of life.
Netgear's contact information is impossible to navigate.

--
David E. Ross

I am sticking with SeaMonkey 2.26.1 until saved passwords can
be used when autocomplete=no.  See
<https://bugzilla.mozilla.org/show_bug.cgi?id=1064639>.
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Shellshock: 'Deadly serious' new vulnerability found

WaltS48
In reply to this post by WaltS48
On 09/25/2014 10:08 AM, Charles Lindbergh wrote:
> Affecting anything using Bash, e.g. Routers, MAC, Linux, etc.
>
> Shellshock: 'Deadly serious' new vulnerability found
>
> http://www.bbc.com/news/technology-29361794
>

Just had a system update to bash 4.2-68.8.1

- Add patches
   bash-4.2-BSC898604.patch for bsc#898604: functions via environment
   hardening
   bash-4.2-CVE-2014-7169.patch for bsc#898346, CVE-2014-7169:
   incremental parsing fix for function environment issue
   bash-4.2-CVE-2014-7187.patch for bsc#898603, CVE-2014-7186,
   CVE-2014-7187: bad handling of HERE documents and for loop issue

--
Sponsored by Firefox 33.0b7 and Thunderbird 31.1.2
GO Bucs, Steelers, Pitt, Pens, Bills and Sabres!
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Shellshock: 'Deadly serious' new vulnerability found

The Real Bev
In reply to this post by Ed Mullen-9
On 09/25/2014 04:33 PM, Ed Mullen wrote:

> David E. Ross wrote:
>> On 9/25/2014 7:08 AM, Charles Lindbergh wrote:
>>> Affecting anything using Bash, e.g. Routers, MAC, Linux, etc.
>>>
>>> Shellshock: 'Deadly serious' new vulnerability found
>>>
>>> http://www.bbc.com/news/technology-29361794
>>
>>  From what I have read, this can affect firmware in routers.  Does anyone
>> know which routers are affected?
>
> Did a few searches and found little of use.
>
> Solution?
>
> OMIGOD!!! RUN AROUND!!!  SMACK MY FACE INTO THE WALL!!!  UNPLUG
> EVERYTHING IN THE HOUSE FROM THE INTERNET!!!

When in danger
Or in doubt
Run in circles
Scream and shout.

> Sigh.
>
> Since 1982 I have had exacgty ONE infection.  Back when protections were
> scant, probably around 1990 or so.  Took me about an hour to get rid of it.

Back in the dark ages there was something that got into the [thing whose
name I've forgotten but every floppy/hard disk had one] which replicated
itself on every floppy inserted into the drive.  It was a simple -- but
tedious --  process to clean it using f-prot, but our friend (the one
who gave it to us, thanks a lot) kept reinfecting himself because every
once in a while he would find a disk that hadn't been cleaned and
couldn't remember how to use the disinfecting floppy I gave him.

And then there was the sheep screensaver that just prevented you from
checking for viruses.  I liked that one.

> I take security seriously but it gets old when every time something like
> this comes out all of these "omigodtheworldisending!" articles come out.

Hubby did some patches for a while and then decided to wait a while
until it all gets sorted out.

--
Cheers, Bev
========================================================
"This would be the best of all possible worlds, if there
  were no religion in it."                   - John Adams
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Shellshock: 'Deadly serious' new vulnerability found

»Q«
In <news:[hidden email]>,
The Real Bev <[hidden email]> wrote:

> Hubby did some patches for a while and then decided to wait a while
> until it all gets sorted out.

I just got my sixth bash update since the Shellshock news broke.
Gentoo security decided not to wait until patches were accepted upstream
before pushing them out.  (I think Shellshock itself was dealt with
after the second patch I got, but they keep finding other little
things.)  It's starting to get annoying, because to restart all bash
processes I have to exit my desktop and log back in.
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Shellshock: 'Deadly serious' new vulnerability found

WaltS48
On 10/04/2014 10:27 AM, »Q« wrote:

> In <news:[hidden email]>,
> The Real Bev <[hidden email]> wrote:
>
>> Hubby did some patches for a while and then decided to wait a while
>> until it all gets sorted out.
>
> I just got my sixth bash update since the Shellshock news broke.
> Gentoo security decided not to wait until patches were accepted upstream
> before pushing them out.  (I think Shellshock itself was dealt with
> after the second patch I got, but they keep finding other little
> things.)  It's starting to get annoying, because to restart all bash
> processes I have to exit my desktop and log back in.
>


Ignorance is bliss. I have no idea what bash processes are running.

Haven't seen a bash update in days and haven't counted how many I got.

openSUSE 13.1

--
Sponsored by Firefox 33.0b9 and Thunderbird 31.1.2
GO Steelers, Pitt, Pens, Bills and Sabres!
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Shellshock: 'Deadly serious' new vulnerability found

»Q«
In <news:[hidden email]>,
WaltS48 <[hidden email]> wrote:

> On 10/04/2014 10:27 AM, »Q« wrote:
> > In <news:[hidden email]>,
> > The Real Bev <[hidden email]> wrote:
> >
> >> Hubby did some patches for a while and then decided to wait a while
> >> until it all gets sorted out.
> >
> > I just got my sixth bash update since the Shellshock news broke.
> > Gentoo security decided not to wait until patches were accepted
> > upstream before pushing them out.  (I think Shellshock itself was
> > dealt with after the second patch I got, but they keep finding
> > other little things.)  It's starting to get annoying, because to
> > restart all bash processes I have to exit my desktop and log back
> > in.
>
> Ignorance is bliss. I have no idea what bash processes are running.

Gentoo's package manager doesn't have anything to check what
services or programs need restarting after an update, so I use a tool
called "checkrestart".  I'm pretty sure it comes from Debian. It
doesn't work perfectly for me, but it's better than nothing.  I guess
it's better on Debian-based systems.

> Haven't seen a bash update in days and haven't counted how many I got.

I think there have been three official patch releases since 28 Sept,
but I don't think they were all security related.  (I got lost in
Gentoo's noisy bug about it.)

> openSUSE 13.1

Probably YaST (I think that's what it's called) takes care of whatever
needs restarting after updates.

_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Shellshock: 'Deadly serious' new vulnerability found

caver1-5
In reply to this post by »Q«
On 10/04/2014 10:27 AM, »Q« wrote:

> In <news:[hidden email]>,
> The Real Bev <[hidden email]> wrote:
>
>> Hubby did some patches for a while and then decided to wait a while
>> until it all gets sorted out.
>
> I just got my sixth bash update since the Shellshock news broke.
> Gentoo security decided not to wait until patches were accepted upstream
> before pushing them out.  (I think Shellshock itself was dealt with
> after the second patch I got, but they keep finding other little
> things.)  It's starting to get annoying, because to restart all bash
> processes I have to exit my desktop and log back in.
>

I read somewhere that the bash vulnerability was compared to
whack-a-mole. Provide one patch and they find a different way. So until
it is completely figured out there will be several patches.

--
Caver1
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
12