Shellshock is worse than heartbleed

In part because, well, the patches don’t seem to cover all the exploits. For the gory details, look at the CVE list here. Then cut and paste the local exploits.
Even with the latest patched source, built from scratch, there are active working compromises.
With heartbleed, all we had to do was nuke keys, patch/update packages, restart machines, cross fingers.
This is worse, in that the fixes … well … don’t.
Many many years ago, I began my Unix journey on Unicos on an Cray XMP or YMP at Pittsburgh Supercomputer Center, running some code to generate MD trajectories and energies. I hated the native shell, so I pulled down tcsh, and built it. Stored it in the local small space they gave researchers. It made using the CLI tolerable.
In the late 90s I switched to bash as this is what Linux used as its default, and I was working mostly on Linux by the end of that decade.
I am thinking of switching back to tcsh (though this could be vulnerable as well, albeit to different exploits).

6 thoughts on “Shellshock is worse than heartbleed”

  1. FWIW, x86_64 bash stable in Gentoo (app-shells/bash-4.2_p50) does not have any vulnerabilities. They’ve done a great job tracking this problem and I’ve almost always been able to instantly run emerge sync;emerge –update bash and any new vulnerability is patched right up on my servers. Gentoo doesn’t make me happy 24/7, but this time around I was really, really glad to be running that on all my systems.

    • @Ellis CentOS/RHEL emitted a patch. Which didn’t cover everything. So they emitted another patch. Which didn’t cover everything. Rinse, repeat. Debian issued patches. Some of which would not install. Ubuntu followed the CentOS/RHEL model.
      Now I have nervous customers, exploit test cases that indicate existing vulnerability on “patched” systems.
      Good for Gentoo on this, but check out the page I linked to. Test some of the later CVEs. Its … unnerving … that we don’t really have the problem fully scoped/fixed yet.
      Going back to the source on this, and we’ll have to maintain this for customers until the distros can get their acts together, and the CVEs stop rolling in.

  2. Yea, I had already checked out that link. Thanks for sharing that. From my update two days back, it only failed the last exploit. The update to r50 this morning fixed that.

  3. On Debian and derived systems, /bin/sh has been non-bash (dash) for a long time. Lazy people who just write #!/bin/sh are safe there, no function exporting. Checking /etc/passwd… ugh, a few services default to using bash (gitolite, postgres). Those gotta change.

Comments are closed.