gfxgfx
 
Please login or register.

Login with username, password and session length
 
gfx gfx
gfx
76774 Posts in 13500 Topics by 1651 Members - Latest Member: insider4ever March 29, 2024, 11:49:11 am
*
gfx*gfx
gfx
WinMX World :: Forum  |  Discussion  |  WinMx World News  |  More Shellshock info
gfx
gfxgfx
 

Author Topic: More Shellshock info  (Read 1502 times)

0 Members and 1 Guest are viewing this topic.

Offline DaBees-Knees

  • WMW Team
  • *****
More Shellshock info
« on: October 02, 2014, 11:59:32 am »
Quote
A Linux/Unix-based vulnerability, Shellshock, has an impact that reaches far beyond one operating system.

As with Heartbleed, Windows users can't ignore this threat. But the most difficult aspect of this outbreak is determining which devices are actually vulnerable.

A vulnerability in the Bash Linux/Unix shell

Your PC might be pure Windows, but chances are high that you have devices in your home running on Unix or Linux. I know I do — my Western Digital My Cloud networked backup drive, routers, Kindles, iPhones, and iPads all run some form of Unix/Linux. (Worse still, Unix and Linux are core operating systems on many enterprise-computing and storage systems.)

Those non-Windows devices were relatively safe from malware — until now. As has been widely reported, the GNU Project's Bourne Again Shell (Bash) was found to be vulnerable. Bash is a text-based, command-line utility or Unix shell used by numerous versions of the Linux/Unix operating systems.

If installed as the default command-line shell, Bash can make a system vulnerable to malicious remote attacks. The method of attack includes various network tools that execute scripts — from Telnet and Secure Shell (SSH) sessions to Web requests.

Unfortunately, there's no single list of Shellshock-vulnerable devices. At this point, we each need to take a survey of our Linux/Unix devices and check whether there's an update to protect us from attack. If there's no patch for a particular device, mitigating the threat could mean changing how we use the device or — as in the case of a security device such as a router/firewall — replacing it altogether.

Be aware that there are already reports of attacks against online honey pots that look for new exploits.

A long, long list of threatened systems

Here are some of the devices I know to be vulnerable to this exploit:

Operating systems: Most major Linux- or Unix-based operating systems, such as Red Hat and Ubuntu  already have patches for the initial bug. Many of those patches are listed on the National Institute of Standards and Technology's National Vulnerability Database website. (See, for example, CVE-2014-6271.)
Unfortunately, many of those initial updates didn't cover a secondary bug — CVE-2014-7169 — also being tracked at the NIST site.

If you're running any Linux distribution, there's a command you can enter to check whether your system is running Bash by default and thus is vulnerable. As noted in a Bobcares blog, enter the following at the command prompt:

# env x='() { :;}; echo Server is vulnerable' bash -c "echo"

If command returns a "Server is vulnerable" message, be forewarned.

Network-attached storage: If you have a NAS device, it's running some sort of operating system — though exactly what type can be difficult to tell. According to a Neowin post, NAS devices from QNAP and Synology are potentially vulnerable to Shellshock. Moreover, my home backup device of choice, the Western Digital My Cloud, is also vulnerable, according to a WD forum post.
 
If you're using any NAS drive that's accessible via the Internet, I recommend disabling remote access immediately. Leave it turned off until you've either installed an update or determined that your particular device was never vulnerable to Shellshock.

Turning off remote access should be easy. For example, following instructions on a WD knowledge-base page, I signed in to the My Cloud's admin console and opened the settings tab. I then went to the "Cloud Access" section and switched it off.

Apple devices: Continuing my survey of personal Linux/Unix devices threatened by Shellshock, I considered my Apple MacBook notebook and my iPhone. An Apple Support forum post has a long and fairly technical discussion about Bash vulnerabilities in OS X. Simply put, if you're not using an Apple system as an Internet server — i.e., you're not giving direct, remote access to the system — you're not vulnerable to Shellshock.
 
That said, Apple has already released OS X Bash Update 1.0, according to a company support page. The patch applies to Lion v10.7.5, Lion Server v10.7.5, Mountain Lion v10.8.5, and Mavericks v10.9.5.

Keep in mind that any prior version of OS up to and including Snow Leopard will not get updates and will remain vulnerable. But again, that's only if you've set up the machine as a webserver or have enabled additional Unix capabilities.

Firewalls and routers:

 As noted in a 2012 SANS Institute white paper, "Exploiting embedded devices," the vast majority of home routers run BusyBox for their Unix tools. That makes those devices safe from the Bash bug.
However, that's not the case for some small-business firewalls provided by Cisco. The company has documented which devices are vulnerable to the Bash bug.

Androids:

For consumers, there's more good news. Android devices ship with a variation of the Almquist shell — another form of Unix that's not threatened by Shellshock. Which means anyone using an Android phone or tablet is not at risk. (That's good, because Android operating systems are customized by device manufacturers; you can't simply go to Google's site to download a universal update.)

Shellshock: More smoke than fire for consumers

When I read the first reports on the Bash bug, I immediately assumed the worst: we'd all have to toss out our routers and buy new ones. Fortunately, that's not the case. Our routers — the first line of defense against Internet threats — are not likely to succumb to Shellshock exploits. Nor do we have to worry about attacks on our Android and Apple phones — at least not Bash-related hacks.

Those of us with home/small-business, cloud-enabled NAS devices are, however, potentially at risk. As noted above, switch off remote access until there's an update from your NAS vendor.

So who is vulnerable to Shellshock? Mostly, it's enterprise systems that rely heavily on Linux- and Unix-based services. It was originally predicted that at least half of all websites could be compromised. Fortunately, quick action by IT admins and various updates have undoubtedly reduced the threat. The most vulnerable devices now are those that never get updated.

Still, there's an important lesson from the Shellshock debacle. All our digital devices are potentially vulnerable to attack — no matter what operating system they run on. It's a problem that extends far beyond our computers, phones, and other electronic peripherals. Security systems, cars, planes, and countless other things we rely on daily have embedded software. All that code has vulnerabilities that could, sooner or later, be exploited. It's not a question of whether but when.

Keep all your devices fully updated.

Susan Bradley

Although some of you may find this information a repeat of what you already know, others may find it helpful.

Offline GhostShip

  • Ret. WinMX Special Forces
  • WMW Team
  • *****
Re: More Shellshock info
« Reply #1 on: October 02, 2014, 06:09:41 pm »
A decent write up you have discovered there DaBees's, It might be annoying but its better to go through all of your equipment now than to find out you have a problem once its been exploited  :alien:

Offline Pri

  • MX Hosts
  • *****
  • *****
Re: More Shellshock info
« Reply #2 on: October 02, 2014, 09:09:37 pm »
With this and the OpenSSL situation earlier in the year it really shows how the sediment on which we build our internet infrastructure really needs to be audited. I'm a software developer and I've relied on other peoples software some of it written over a decade ago as an integral part of my own software on many occasions. Sometimes something as simple as how you write a file to disk or authenticate a user can use code written a long time ago that has never had any kind of oversight or security audit and it is frankly very worrying.

Offline GhostShip

  • Ret. WinMX Special Forces
  • WMW Team
  • *****
Re: More Shellshock info
« Reply #3 on: October 02, 2014, 09:13:10 pm »
I was under the delusion that as new operating systems came to fruit they had new drivers etc created that rendered some of these issues null and void but it seems theres holes in nearly everything and all just waiting to be exploited for giggles or cash.

Offline White Stripes

  • Core
  • *****
  • ***
  • Je suis aimé
Re: More Shellshock info
« Reply #4 on: October 08, 2014, 05:00:27 pm »
I was under the delusion that as new operating systems came to fruit they had new drivers etc created that rendered some of these issues null and void but it seems theres holes in nearly everything and all just waiting to be exploited for giggles or cash.

a different lock just needs a different pick.... and this shellshock seems overblown for desktop (without remote access) users... if one gets 'shell through browser' then there is something severely wrong with the browser...

Offline GhostShip

  • Ret. WinMX Special Forces
  • WMW Team
  • *****
Re: More Shellshock info
« Reply #5 on: October 08, 2014, 06:51:36 pm »
I think we both know browsers are quite rich pickings for attackers, the choice is simply do we allow governments to know of and exploit their bugs for financial and political motives or just the anarchistic financially motivated persons, those are normally the two routes of evil.

WinMX World :: Forum  |  Discussion  |  WinMx World News  |  More Shellshock info
 

gfxgfx
gfx
©2005-2024 WinMXWorld.com. All Rights Reserved.
SMF 2.0.19 | SMF © 2021, Simple Machines | Terms and Policies
Page created in 0.02 seconds with 23 queries.
Helios Multi © Bloc
gfx
Powered by MySQL Powered by PHP Valid XHTML 1.0! Valid CSS!