Monday, September 29, 2014

Serious exploits in August and Sept 2014

These recent months have shown how the open source software model could handle (or is still handling) bugs that could be turned into an exploit of Linux servers. These are;

Shellshock (Sept 2014) - remotely take over a server.
BBC http://www.bbc.com/news/technology-29361794

Heartbleed (April 2014) - OpenSSL data could be intercepted.
BBC http://www.bbc.com/news/technology-28867113

The sheer number of Linux servers affected means that it is a serious threat and is wide spread. In Heartbleed, its patched but Shellshock is yet to have a patch to fully resolve the bug.

Interesting technical discussion on Shellshock is found at stackexchange.
https://unix.stackexchange.com/questions/157329/what-does-env-x-command-bash-do-and-why-is-it-insecure

How do you know if your shell is vulnerable? Hackernews recommends to run the following command in all the shell being used;

env X="() { :;} ; echo shellshock" /bin/sh -c "echo completed"
env X="() { :;} ; echo shellshock" `which bash` -c "echo completed"

If you see the text output "shellshock", please find a patch.

Chris, a contributor at Buzzfeed News, provided a good material on how 2 persons maintained the OpenSSL package, Steve Marquess and Stephen Henson. The commercial entity for this is known as OpenSSL Software Foundation.

Now doesn't it make you wonder who is responsible of bash shell and is it the same package for every Linux distro?


No comments: