Shellshock bug a wake up call for all Linux users, but not the end of the world.

The shellshock bug for Linux is a wake up call for all Linux administrators and home users, but this is not the end of the world. The Linux distribution developers will issue patches very soon after a leak of a bug like this. There is not going to be a massive catastrophe that the media will make it out to be. I just checked my Ubuntu 14.04 installation and it was not vulnerable. Fedora 21 server alpha was, but after running yum upgrade, it was fixed. A problem like this is begging to be exploited, but if a user is careful and patches their system regularly, this will not become a major problem. The media likes to make out that this is a massive security hole and your computer will explode if you are compromised, but this is not the case. There is a malicious attack that uses a DHCP server. This could be a problem, but not if your system is patched and properly setup in the first place. Servers with public facing services are the most a risk if they are not properly maintained and patched. There is more information about this on Reddit: https://pay.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/ckrbqac. This is possible using telnet. This code creates a file on a webserver using the shellshock bug. Quite an interesting exploit. This is why infosec should be taught more often. System administrators need to be more aware of how a system can be exploited and how to react when a security advisory is released detailing such a threat.

There is a simple way to check if you are vulnerable to the shellshock bug: http://www.securitronlinux.com/bejiitaswrath/check-if-you-are-vulnerable-to-the-shellshock-bug-this-is-an-easy-way-to-find-out/. This is how I tested my system. Give this a go on your Linux machines.

No comments have been made. Use this form to start the conversation :)

Leave a Reply