Page 1 of 2 12 LastLast
Results 1 to 15 of 22
  1. #1
    WS Lounge VIP access-mdb's Avatar
    Join Date
    Dec 2009
    Location
    Oxfordshire, UK
    Posts
    1,729
    Thanks
    148
    Thanked 156 Times in 149 Posts

    How worried should we be about Shellshock?

    Title says it all really.

    Is there anything we can do to protect against it?

  2. The Following User Says Thank You to access-mdb For This Useful Post:

    PhotM (2014-09-28)

  3. #2
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,202
    Thanks
    49
    Thanked 987 Times in 917 Posts
    Your PC will not be affected, it's really only Unix based servers used for hosting web sites. At present we don't know what compromise is possible so all you can do is browse carefully and try not to use your credit cards too much. It may turn out to be a whole lot of fuss over nothing, but tread carefully until we are sure.

    cheers, Paul

  4. #3
    Super Moderator CLiNT's Avatar
    Join Date
    Dec 2009
    Location
    California & Arizona
    Posts
    6,121
    Thanks
    160
    Thanked 609 Times in 557 Posts
    Your best protection would be not doing anything really stupid:

    Opening links in friends sent email with abandon to caution.
    Browsing stupidly and clicking on everything without actually looking at anything.
    Sharing USB sticks with others, especially friends.
    Downloading and installing applications you know nothing about simply because you want to try them out.
    Running your system without password protection and outdated AV/AM definitions.

    Your second best protection will be a known good backup that'll get you up and running in less than 30 minutes.

    Your image based backup should be of recent vintage and cover all your core applications.
    Don't worry about getting ALL Windows updates, within a hundred megabytes is fine, and don't worry about
    simple programs that can be easily reinstalled.
    DRIVE IMAGING
    Invest a little time and energy in a well thought out BACKUP regimen and you will have minimal down time, and headache.

    Build your own system; get everything you want and nothing you don't.
    Latest Build:
    ASUS X99 Deluxe, Core i7-5960X, Corsair Hydro H100i, Plextor M6e 256GB M.2 SSD, Corsair DOMINATOR Platinum 32GB DDR4@2666, W8.1 64 bit,
    EVGA GTX980, Seasonic PLATINUM-1000W PSU, MountainMods U2-UFO Case, and 7 other internal drives.

  5. The Following User Says Thank You to CLiNT For This Useful Post:

    PhotM (2014-09-28)

  6. #4
    WS Lounge VIP access-mdb's Avatar
    Join Date
    Dec 2009
    Location
    Oxfordshire, UK
    Posts
    1,729
    Thanks
    148
    Thanked 156 Times in 149 Posts
    I'm aware that it doesn't affect Win systems per se, but it does affect people going online. Although the advice is to not use credit cards, that would cause all sorts of problems as we all use them online (well a large proportion of us do). I was more thinking of how we might see how any site we go to which we want to purchase something, is actually OK to use (does it affect IIS servers?).

    Clint, I already do (or don't do) everything in your list - just verifying today's image (via Macrium) as I type.

  7. #5
    Star Lounger
    Join Date
    Nov 2011
    Location
    Calgary, AB, Canada
    Posts
    54
    Thanks
    51
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Paul T View Post
    Your PC will not be affected, it's really only Unix based servers used for hosting web sites. At present we don't know what compromise is possible so all you can do is browse carefully and try not to use your credit cards too much. It may turn out to be a whole lot of fuss over nothing, but tread carefully until we are sure.

    cheers, Paul


    Paul,

    Don't forget BASH and/or ASH is Windows friendly and can be installed on Servers and Clients...... I am out of my depth since I have never heard of either until this vulnerability was disclosed. I have been learning allot from the Patchmanagement Email IT Group that our own Susan Bradley moderates on and belongs to.

    Crysta

    OMG,

    I just heard on TWiT's "This Week in Tech Show", Steve Gibson says that "DHCP" uses BASH IN SOME CASES!!! As Steve says "This is a 10 out of 10 per the Knowledgeable IT World".

    I sure hope this one frizzles????? Be careful on "Foreign WiFi and DHCP"!!!
    Last edited by PhotM; 2014-09-28 at 17:33. Reason: for DHCP

  8. #6
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,202
    Thanks
    49
    Thanked 987 Times in 917 Posts
    BASH is used on Linux based systems by default, on Windows you need to install it.

    Yes, DHCP is vulnerable, but it is not exposed on the internet - unless the site admins are really dumb. On public WiFi the DHCP service is likely to be embedded in the wireless controller and may or may not be affected. Even if it is affected you are only using the WiFi as transport and you should not be doing anything sensitive, like banking, unless you have a banking app with internal security. You should still be running a firewall and not installing any old software.

    IIS is a Windows product and will not be affected by this problem, but there are a lots on Linux based servers out there because they are cheaper to run and potentially more secure than Windows.

    cheers, Paul

  9. #7
    Star Lounger
    Join Date
    Nov 2011
    Location
    Calgary, AB, Canada
    Posts
    54
    Thanks
    51
    Thanked 2 Times in 2 Posts

    Exclamation SB14-272: Vulnerability Summary for the Week of September 22, 2014

    National Cyber Awareness System:

    SB14-272: Vulnerability Summary for the Week of September 22, 2014

    09/29/2014 06:42 AM EDT

    Original release date: September 29, 2014


    gnu -- bash

    GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. 2014-09-24 10.0 CVE-2014-6271
    CERT
    CERT-VN
    CONFIRM
    UBUNTU
    DEBIAN
    CISCO
    REDHAT
    REDHAT
    REDHAT
    MISC


    gnu -- bash

    GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. 2014-09-24 10.0 CVE-2014-7169

    CERT
    CERT-VN
    UBUNTU
    UBUNTU
    MLIST
    DEBIAN
    MISC
    CISCO
    REDHAT
    MISC

    Received this this, this morning in their weekly Email.

    Regards,

    Crysta
    Last edited by PhotM; 2014-09-29 at 09:22.

  10. #8
    Super Moderator
    Join Date
    Aug 2012
    Location
    Durham UK
    Posts
    6,643
    Thanks
    147
    Thanked 884 Times in 845 Posts
    I was reading someone's query as to whether this would affect Billion routers on http://www.billion.uk.com/forum/view...php?f=3&t=3252 and up until then, it didn't affect routers using the Broadcom chipset.
    Last edited by Sudo15; 2014-09-29 at 12:01.

  11. #9
    New Lounger
    Join Date
    Jun 2014
    Posts
    1
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Paul T View Post
    BASH is used on Linux based systems by default
    It's used on some distributions by default. Ubuntu, for example, uses DASH by default.

  12. #10
    New Lounger
    Join Date
    Dec 2009
    Location
    Tucson, AZ, USA
    Posts
    16
    Thanks
    0
    Thanked 2 Times in 2 Posts
    If you are using Cisco hardware, I'd suggest you take a look at the Cisco Advisory ID: cisco-sa-20140926-bash at the Cisco website http://tools.cisco.com/security/cent...-20140926-bash
    It lists the Cisco devices that are affected and what to do.
    Hope this helps.

  13. #11
    3 Star Lounger Backspacer's Avatar
    Join Date
    Sep 2002
    Location
    Scappoose
    Posts
    332
    Thanks
    20
    Thanked 12 Times in 11 Posts
    Quote Originally Posted by CLiNT View Post
    Your best protection would be not doing anything really stupid:

    Opening links in friends sent email with abandon to caution.
    Browsing stupidly and clicking on everything without actually looking at anything.
    Sharing USB sticks with others, especially friends.
    Downloading and installing applications you know nothing about simply because you want to try them out.
    Running your system without password protection and outdated AV/AM definitions.
    We sure are getting intimately involved with our computers. I could change one or two words in each of these and it would be good advice on sexual intercourse, too. :-)

  14. #12
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    S.F. Bay Area, California, USA
    Posts
    735
    Thanks
    15
    Thanked 80 Times in 78 Posts
    I believe there was a set of rules a few years ago about how to "have safe fax." Among the rules was, "When you have fax with someone, you're having fax with anybody who has faxed them before." (Also, "Always use a cover sheet.")

    Zig

  15. #13
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,755
    Thanks
    171
    Thanked 652 Times in 575 Posts
    Quote Originally Posted by omd View Post
    It's used on some distributions by default. Ubuntu, for example, uses DASH by default.
    Why is Ubuntu pushing out patches for Bash then?

    Ubuntu Security Notice: Bash vulnerabilities

    Bruce

  16. #14
    3 Star Lounger Backspacer's Avatar
    Join Date
    Sep 2002
    Location
    Scappoose
    Posts
    332
    Thanks
    20
    Thanked 12 Times in 11 Posts
    Bash my not be the default shell in Ubuntu, but it is available. It seems responsible for anyone who distributes any form of it to push or actively promote patches.

  17. #15
    3 Star Lounger Backspacer's Avatar
    Join Date
    Sep 2002
    Location
    Scappoose
    Posts
    332
    Thanks
    20
    Thanked 12 Times in 11 Posts
    We use ZyXel USG business class routers. I just got a reply from their tech support to my question of whether my routers are affected: "Zyxel devices do not use Bash shell script they use BusyBox so you are not affected." That is a relief.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •