Thursday, September 25, 2014

Batten down the hatches. Again.

5 months after the worst security bug in history comes what may be the worst security bug in history.  I can't blame people at Microsoft if they smirk about this, because Windows is not vulnerable but Unix/Linux/MacOS is.  And the bug turns out to be over 20 years old.


A quick note: if you are running Ubuntu (or other flavors of Debian Linux) you are not vulnerable.  Also, this is a server-side attack, and so it won't directly impact most of you.  However, Linux is embedded in a lot of devices, like your home router.  These are maybe vulnerable.  Stay tuned.

That said, this is about as bad as it gets for web servers:

Those of you who work in IT, life is fixin' to get interesting ...


Dave H said...

That's the problem with code from the "good old days." It's from before the time when net devs became professionally paranoid.

Eagle said...

Any organization that isn't using rbash for non-critical network logins, or isn't chrooting "naive user" accounts, should fire their Linux admin *now*. And *no* user should be wired into /etc/sudoers using NOPASSWD - EVER.

One other thing: Centos, Red Hat, and Fedora all run SELinux-enabled kernels, so they're pretty tightly tied down "out of the box". The judicious use of SELinux policies can keep your system locked down.

And if you're gonna use a net-facing Linux server, run fail2ban (google it).

A properly configured Linux server is d*mned hard to crack.

lelnet said...

Just a note...ubuntu is _not_ safe from this bug. Several of the servers my employer's products run on are ubuntu, and were confirmed vulnerable just this afternoon. At least, until I installed the most recent bash. But the bash that came with the stock install of any recent ubuntu _is_ harboring the bug.

Eric Wilner said...

Debian Wheezy is not vulnerable, at least not after the update that arrived this morning... Debian Squeeze, though, is vulnerable at present.
So, for those running down-rev servers (because they just run forever): be not complacent.

AnarchAngel said...
This comment has been removed by the author.
AnarchAngel said...

I started by posting a comment, but it got so long I decided to write a separate post

It's very important to remember that this vulnerability isn't limited to web servers, or even to systems providing services to the internet etc...

Many common services can be induced to invoke bash with malicious environment variables.

This is a vulnerability in a core component of many operating environments, and there are many potential attack vectors.

Eric Wilner said...

An update to my comment from yesterday: while Debian squeeze still had a vulnerable version of bash (until last night, if updating from squeeze-lts), it's come to my attention that dash, apart from having better performance, is not vulnerable, and Debian installations typically link /bin/sh to dash.
Turns out my old server (running -squeeze) did have dash configured as /bin/sh, but my workstation (running -wheezy) was using bash until a few minutes ago.
So, yet another thing to check: dpkg-reconfigure dash, and answer Yes.