Reply to post: This is getting overblown

Bad boy builds beastly Bash bug botnet, boxen battered

Anonymous Coward
Anonymous Coward

This is getting overblown

People are conflating this with problems this does not create. The circumstances are limited. The outside world has to provide something unchecked/unvalidated content that's being stuffed into environment variables that are passed to bash to set.

This just isn't happening in very many places. When worms are created they'll find a specific instance, like some standard CGI script that is used on a lot of sites, and attack just that one thing. The SSH "issue" is a red herring since I've never seen anyone using ForceCommand except for internal-sftp which since you're running in a chroot environment has no bash available. The DHCP issue is a different one, people would be setting up rogue DHCP servers hoping to catch those using a BSD DHCP client (Macs and iPhones) if those are even vulnerable to an attack using DHCP - I don't think anyone has said they are vulnerable, only that it is possible since they use BSD DHCP client. It could only happen if you tried to connect to a DHCP server run by someone who is trying to attack BSD DHCP clients.

Beyond this, while I'm sure there are plenty of home grown things that would be vulnerable to this, home grown stuff doing THIS with a bash shell will have a ton of vulnerabilities so adding this one doesn't matter. You can't craft an automated attack against this, you have to know what is going on at the other end.

Basically, if you aren't using CGI at all, or at least are sure you aren't using it to pass untrusted data via environment variables, you don't really need to worry about outside attack at this time. Maybe more examples will be forthcoming. Not saying you shouldn't patch, but the sky isn't falling. If you have a Mac or iPhone, until it is certain that the BSD DHCP client can't be tricked into passing environment to the shell or you have patches that fix this, don't connect to random wifi hotspots.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020