ShellShock, shock shock shock!

Update information      Edit(Sep.30)    Edit2(Oct.6)

   Have you coped with the threat from ShellShock, yet? My server is on Windows OS. Hence I think the vulnerability gives no effect to mine. But it’s a very serious one. NVD gave the impact score 10 to this. I have a CentOS 6.5 on my VMware, so I updated its bash to bash-4.1.2-15.el6_5.2.i686.

   If you still have the following messages after updating and doing env x='() { :;}; echo
vulnerable' bash -c "echo this is a test"
, your bash need more updating.
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for 'x'
this is a test

   I got the information form Masanari Iida’s comment on Red Hat Customer Portal.

   Several links which I am curious about, actually tons of articles about it on the Internet:

   By the way, I had the ShellShock attacks six times and blocked their IPs until yesterday, and today two more from other IPs until now on the Apache error log. I found that all of them my Apache returned HTTP Error Codes to.

   On “Bash bug: apply Florian’s patch now” he said “I very strongly recommend manually deploying Florian’s patch unless your distro is already shipping it.” and how to check the patch applied or not.

   When you do foo='() { echo not patched; }' bash -c foo within the shell, the patch is already applied if you have “command not found”. If you have “not patched”, your bash is still vulnerable.

   On its comment vdp wrote “These ‘toughen the feature’ patches still feel quite scary.” and a suggestion. I agree with him.

   Today, I’ve found this (Japanese).

   It says that it’s not enough to check the bash by the code foo='() { echo not patched; }'
bash -c foo
. Nonetheless, they have less critical than CVE-2014-6271 or CVE-2014-7169. But still dangerous.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.