Just … oh dear.

There goes my weekend.

You’re a sys-admin? Good luck. Luckily my experimental server isn’t affected and even if it was, there’s just one of it. Wouldn’t fancy trying to patch tens or hundreds of remote servers :s

I have no idea what my NAS, routers etc are running. Just glad we work in a Windows environment.

Q. What can I do to protect against it?

A. Experts recommend not using credit cards or disclosing personal information online for the next few days. Usual precautions are also recommended such as updating anti-virus software and not visiting dodgy websites.

Good plan of action from the Independent 😀

I’m still wondering how hackers can get to the command line terminal – shurely that port should be heavily controlled and require a signon & password?

But then I’m not a Linux/Unix admin…

“should” is the operative word in that sentence.

They don’t, but webservers do, and to exploit this you just need to format a web request in the right way.

shurely that port should be heavily controlled and require a signon & password?

As I understand it there’s no authentication required when executing these commands via a CGI script, which, along with the fact that about 50% of the worlds web servers are probably vulnerable, means there are an awful awful lot of machines that you can execute arbitrary code on.

spent the day patching redhat yesterday.

come in today to find that redhat have released a new patch.

another day of patching.

😐

Yeah.

The initial patch was only ever meant to be an emergency response. There will probably be more too.

Yup, busy here, but mainly from a customer communication point of view.

Still, all good fun.

I would point people to the website I’m building with a load of information on it, but I’m still building it. Watch this space.

They don’t, but webservers do, and to exploit this you just need to format a web request in the right way.

It’s possible to craft a DHCP attack too

OUCH

I don’t know how many shops use reservations for their servers (probably quite a lot in cloud services), and compromising the DHCP server itself would be a challenge (although in my experience if you have a rogue one, it’s always the BAD one that responds first) but thats just plain nasty.

PS – anyone seen a statement on Cisco iOS / NX-OS?

Not yet. F5 did one yesterday though.

The DHCP thing looks nasty though.

The DHCP thing looks nasty though.

Woo – scary stuff indeed. I am so going to have to try that on the school network where I’m admin – purely in the interest of research as we need to have a bit of a think about security (to be honest we’re not all that vulnerable to anything, sitting behind a solid firewall and the only direct user access is to temporary VMs – the important stuff has fixed IP addresses and aren’t running web servers – though we can’t ignore it).

Essential reading:

https://community.rapid7.com/community/infosec/blog/2014/09/25/bash-ing-into-your-network-investigating-cve-2014-6271

Just about the most sensible, level-headed write-up I’ve seen today on the subject.

What with all the IT managers on here, I imagine there won’t be a MTB to be seen this weekend 😛

I have no idea what you lot a rambling on about!!

Thanks Cougar, that is a sensible article, and does at least confirm my lack of concern is reasonable.

What with all the IT managers on here, I imagine there won’t be a MTB to be seen this weekend

I just sent out an email saying ‘fix this’ and went off cycling.

NSA / GCHQ will be kicking themselves, another secret back door exposed and therefore closed to them!

I just sent out an email saying ‘fix this’ and went off cycling.

I look forward to your reaction on Monday morning, when you read the post-it note left telling you it hasn’t been 😀

They’ll have done something, probably the wrong thing.

I run my guys with a fist of iron. Plus I ridicule them in private. It’s the only language they respect.

My favourite comment on that Indy article:

Here’s an idea, let’s tell hackers about all of our flaws and how it’s so easy to attack systems.
Oh look, here’s a weakness. BEST TELL EVERYONE ABOUT IT SO THEY CAN EXPLOIT IT.
Well done.

I have no idea what you lot a rambling on about!!

Consider yourself bloody fortunate.

Every now and again this sort of thing rears its head. IT bods sweat blood to sort it out, and then when they do a frankly phenomenal job everyone goes “well, I don’t know what the fuss was about, it was a non-issue” ignoring the fact that the reason it was a non-issue is precisely because of a large number of people pulling miracles out of their arses.

For the canonical example of this, see the Millennium Bug. Which I’ve spent 14 years being cross about.

footflaps – Member
NSA / GCHQ will be kicking themselves, another secret back door exposed and therefore closed to them!

😆

aracer – Member
My favourite comment on that Indy article:

Here’s an idea, let’s tell hackers about all of our flaws and how it’s so easy to attack systems.
Oh look, here’s a weakness. BEST TELL EVERYONE ABOUT IT SO THEY CAN EXPLOIT IT.
Well done.
?This.

The DHCP option looks worrying on the surface but I would expect most Linux servers doing anything important to be on static IP addresses.

Certainly a lot more accessible to people than the web attack. Introduce a rogue DHCP server to the network and off you go.

So, as a domestic Mac user, what does this mean for me?

Sod all, really, and there is nothing you can do about it. 8)

That’s the sort of clear, unambiguous, ukip-level commons sense talk I like.

I have no idea what you mean. But I’ll buy three.

My credit card details are 3428 4331 65….

For the canonical example of this, see the Millennium Bug. Which I’ve spent 14 years being cross about.

We were terrified in work in case our toaster stopped working!

So, as a domestic Mac user, what does this mean for me?

Realistically, almost certainly nothing.

I assume there will be a patch released for the OSXes at some point.

Have done a bit of testing, and it’s actually a lot harder to exploit the DHCP vulnerability on our system than I thought (the PXE boot is broken with a rogue DHCP server, so it never gets as far as running bash – PXE is not vulnerable). For MAC users it seems it would only be a problem if you were running a web server with cgi scripts – apparently they’re not vulnerable to the DHCP exploit.

I assume there will be a patch released for the OSXes at some point.

… and, there is. Links here:

Apple patches OS X against Shellshock