so we are all screwed then

Story: Bug in Bash shell creates big security hole on anything with *nix in itTotal Replies: 24
Author Content
gary_newell

Sep 25, 2014
9:37 AM EDT
Assuming we all patch our systems (which we will) this isn't really going to help all that much.

We have to hope that everyone else patches their systems as well.

Then there is the whole router issue. That is the bit I am most concerned about. Is it affected? I can only assume that it is. How will I know if a firmware update has solved any issue with the router?

There are also some reports suggesting the patches aren't 100% effective either

Bob_Robertson

Sep 25, 2014
10:05 AM EDT
Rather, not all patches are 100% effective, so it must be assumed that all patches are not 100%, but all in different ways.

Until the upstream fixes are able to filter down to the individual distributions, it's safe to say that nothing is entirely safe.

But that's the assumption we are all making already, right?
number6x

Sep 25, 2014
10:53 AM EDT
Enter the following line in the bash shell:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"


If your shell is still vulnerable you will see:

     vulnerable
     this is a test 


If your shell is not vulnerable you will see something like:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test


My bash shell was patched yesterday. This fixes certain types of malformed bash function definitions. I doesn't mean that the shell interpreter has no other vulnerabilities..

Here is a tweet about the incompleteness of this particular patch:

https://twitter.com/taviso/status/514887394294652929

But the examples there all fail after my system was patched.
gary_newell

Sep 25, 2014
11:22 AM EDT
From my understanding your actual laptop or desktop isn't really at risk unless you are running a web server of some kind. Is that correct?

From what I have read (and a lot of it is confusing and conflicting) is that on a local computer you would only be able to exploit the system if you have access to a bash shell in the first place. How likely is that?

What I would really like to test is my router and other devices. Not sure how I would do that though.
CFWhitman

Sep 25, 2014
11:49 AM EDT
The vast majority of embedded systems do not have bash installed. They generally use ash or another small footprint shell that is not vulnerable. This means that your routers, switches, firewalls, etc. are very unlikely to be affected by this unless you built them yourself with a bigger distribution, and then you can patch them.

It's unlikely that your desktop computer would be affected by most normal Internet activity. There has to be something which can inject code into a normal bash command for this to be exploited. Of course you should apply the patches anyway. Servers are a much more likely target. I patched my work servers and desktops earlier this morning. I will patch my home server when I get back home, but it's not accessible from outside anyway (I'm not hosting a Web site on it). Of course I will patch my home desktops as well.
jdixon

Sep 25, 2014
12:00 PM EDT
> ...on a local computer you would only be able to exploit the system if you have access to a bash shell in the first place. How likely is that?

Do you have any other users who use your machine? If so, very likely.
Bob_Robertson

Sep 25, 2014
1:36 PM EDT
Thanks, 6.

My home system, patched yesterday, gives the error message.

My work system, with a public facing web page on it, returns "vulnerable".

Oy.

Edit: Not so fast, the shell on my work systems isn't bash. So never mind.
750

Sep 25, 2014
5:38 PM EDT
Best i call tell, this is a local exploit unless the attacker finds some other means of reaching the shell.
jdixon

Sep 25, 2014
9:17 PM EDT
> ...this is a local exploit unless the attacker finds some other means of reaching the shell.

Which apparently some web interfaces supply. :(

I applied the Slackware patch this morning, but apparently there's a second patch this afternoon.
Bob_Robertson

Sep 26, 2014
8:58 AM EDT
> apparently there's a second patch this afternoon.

The stuff I've read make it sound like a trial-and-error patching.

Remember that "we need real work on the basic infrastructure bits" after OpenSSL? Watch for another round of the same thing.

And, if I may bring this discussion into what we've been talking about so much lately, this is another excellent example of the importance of (relatively) small, independent programs, which can be quickly fixed individually and independently of other bits.
CFWhitman

Sep 26, 2014
9:25 AM EDT
After patching yesterday I had to re-patch all my machines today.
mrider

Sep 26, 2014
11:43 AM EDT
Apparently, if you have a vulnerable machine that uses DHCP, and the DHCP server is either compromised or expressly created to be malicious, then you can be hacked when you get an address. So this is a problem for home users. It's fairly typical for a home network to consist of a single device that is a DSL or fiber modem, that is the firewall, that is the WIFI access point, and finally is the DHCP server. If that device is compromised, then it can be used to compromise vulnerable computers inside the network.

My fiber router at home is such a device. However, all my permanent computers use static addresses outside the DHCP range, so only guests get served by DHCP. I'll have to look into my router over the weekend, but I'm confident that I wasn't compromised in the time between when this was discovered and when I got the update a couple of days ago.
Bob_Robertson

Sep 26, 2014
12:05 PM EDT
> It's fairly typical for a home network to consist of a single device that is a DSL or fiber modem

Good sir, where is it "fairly typical" to have a _fiber_ modem?

Cable, sure.
mrider

Sep 26, 2014
12:36 PM EDT
Quoting:Good sir, where is it "fairly typical" to have a _fiber_ modem?


Poor phrasing on my part. :(

What I meant was that if you are a home user and you have DSL, cable, or fiber, then most likely you have a single device that serves all the listed functions - including DHCP which is vulnerable if your bash is vulnerable.
Bob_Robertson

Sep 26, 2014
12:41 PM EDT
No worries, I just wanted to know where I should set my sights to move to!

:^)

mrider

Sep 26, 2014
1:09 PM EDT
Ha - well not where I live! I have a choice between the two most hated companies on Earth, Verizon and Comcast. The basic reason I have Verizon FIOS is because my POTS lines were put in during WWII and use lead conductors (if you can believe it). DSL is quite out of the question, despite my house being well within range of the dslam. DSL works during the winter when the wires are cool, but as soon as the weather gets warm, DSL is as flaky as a croissant.

[EDIT] And I should add that Verizon's "service" is at least passable, where Comcast's is the third circle of Hell.
Bob_Robertson

Sep 26, 2014
1:15 PM EDT
Well, all you need is some liquid helium, and those Pb conductors become superconducting!
cr

Sep 26, 2014
5:37 PM EDT
Verizon DSL user in the greater Boston area here.

@Bob_R: The answer is FIOS, but my folks recently transitioned away from that to Comcast because the video quality was uneven-to-bad, worse than broadcast digital (they're in their 80s and they do love their TV). Giving up a POTS line to FIOS meant their power-outage dialtone holdup dropped from three days to eight hours (not good for elderlies). Internet was good, though; one out of three is about what you expect from Verizon. I'm on (bottom-rung speed: 1184/448) Verizon DSL because it's cheap and, as we still have our copper-pair, we're not locked in and still in nominally common-carrier territory.

@mrider: how hard would it be to pull some cat-3 two-pair? In my house most of the horizontal runs are in the basement where I can get at that 'ancient' AWG22 twisted-pair and improve it myself. Our POTS enters the house in the furnace room and immediately hits a pair of RJ11 jacks I put up, with a single (ferrite-loaded, I think) inductive DSL filter between them. A run of cat3 to the DSL modem gets unfiltered access off the top jack; all the phones in the house get filtered access through the bottom jack. DSL signals never really see the POTS house wiring. The filter is one of those RJ11 inlines; if it ever burns out I've got three more in a drawer. Maybe something like that would work for you in case you need to drop back to DSL.

In any case, if your FIOS modem is an Actiontec... In checking for Shellshock vulnerabilities, I used curl to do a GET of the Verizon-provided DSL modem's entry page, and was dismayed to see my admin password in plaintext as a javascript var. No obfuscation, no encryption: they have the browser do a string-compare and choose one of two URLs on match or mismatch. When we replaced Earthlink dialup/DSL with Verizon, I kept my homebrew firewall/gateway box in series, confining their modem/wireless/router to just modem duties, and now I'm very glad I did so. I'm also thinking that their device is gonna get a hardware cloth version of a tinfoil hat so that, if somebody comes along and turns wifi on, it doesn't go anywhere. Fortunately, my gateway runs dnsmasq and refers to OpenDNS, skipping the Verizon nameservers, so they can't easily MITM us with that. I already know that giving my box a static IP in the upper corner of the modem's DHCP handout range gets the same access as if the IP was DHCP-granted; you might try that to close your DHCP hole once you've interposed your own firewall to protect your LAN.
mrider

Sep 26, 2014
6:02 PM EDT
You misunderstand - it was not the telephone wires in my house that are lead, my house was built in the '60s. It is the telephone lines on the telephone poles that are lead. I'm pretty sure I'd be arrested as a terrorist if I were to start replacing the POTS lines for the whole neighborhood. :)

[EDIT] I even tried (at Verizon's suggestion) running a dedicated telephone line from the connection point outside the house to the jack where my DSL modem plugged in. That didn't help.
hkwint

Sep 27, 2014
4:10 PM EDT
Quoting:Good sir, where is it "fairly typical" to have a _fiber_ modem?


Eindhoven.
jezuch

Sep 28, 2014
2:52 AM EDT
Quoting:Good sir, where is it "fairly typical" to have a _fiber_ modem?

Eindhoven.


I was going to say "Europe" but I decided not to speak for all of Europe. I know I'm getting fiber to my home on monday :)
Bob_Robertson

Sep 29, 2014
9:02 AM EDT
I guess it's time to make up for the whole Mintel thing. Good for Europe!
NoDough

Sep 29, 2014
1:17 PM EDT
Bob_Roberson wrote:Good sir, where is it "fairly typical" to have a _fiber_ modem?


Brings to mind the following anecdote.

I live in North Carolina in the country not far from a thriving metropolis with a population of half a million and not much farther from Research Triangle Park. The best Internet I can get is 3Mbs DSL.

My brother is a farmer in central Kansas. His house is the only residence on the square mile on which he lives. He lives 10 miles from the nearest town. It has a population of 200. He lives 40 miles from the nearest city with a population of > 10,000. He lives 100 miles from the nearest city with a population of > 100,000. He has 50Mbs x 15Mbs fiber to his house and to his barn.

Perhaps there is no good reason that fiber isn't fairly typical.
mbaehrlxer

Sep 30, 2014
9:20 PM EDT
(clicking heels three times) "there is no place like kansas!"

bob_robertson: do you mean minitel? that's only in france. internet access varies a lot in europe. smaller, richer populations like scandinavia tend to lead...

greetings, eMBee.
Bob_Robertson

Oct 01, 2014
2:03 PM EDT
Yes, MB, I know it was just France. But I'm far away from Europe, and from here it's hard to tell the difference between all those itty-bitty countries.

But not to worry, the United States of Europe is well on its way.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!