PDA

View Full Version : Vulnerabilidade no Bash é muito grave



Winjer
26-09-14, 09:42
Bash vulnerability allows code execution, may be worse than Heartbleed bug (http://techreport.com/news/27107/bash-vulnerability-allows-code-execution-may-be-worse-than-heartbleed-bug)


The Internet is grappling with another major security vulnerability. According to the Red Hat security blog, the Bash Unix shell is vulnerable to code injection attacks (https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/). Dubbed Shellshock, this flaw is severe enough that the Department of Homeland Security's Computer Emergency Readiness Team has issued an alert (https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability) advising users running Linux and OS X to patch their systems.The National Vulnerability Database rates the flaw (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271) as a 10/10 for impact and exploitability. More worryingly, perhaps, Shellshock apparently has "low" access complexity and no authentication requirements. A cybersecurity expert quoted by Reuters (http://www.reuters.com/article/2014/09/24/us-cybersecurity-bash-idUSKCN0HJ2FQ20140924) claims "you can just cut and paste a line of code and get good results."
Additional details are available in this blog post (http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html) by software developer Troy Hunt—and the outlook is pretty grim. Hunt describes the bug's potential as "almost limitless" and "readily automatable." He also worries that Shellshock could be exploited by a worm that propagates quickly, before affected systems can be patched.

"About 25 years' worth of Bash versions" are affected, Hunt says, and the vulnerability extends beyond traditional computers. Even Internet of Things devices may be exploitable, since many run "embedded Linux distributions with Bash." Machines running Windows-based operating systems seem to be safe, at least.

A maior parte dos utilizadores comuns não usam sistemas baseados em Unix, mas existem muitas grandes empresas e estados que usam e que ficam expostas.

Dape_1904
27-09-14, 13:16
O Unix não é muito explorado, porque isto é só um arranhão na superfície do iceberg...

Filipe
03-10-14, 11:28
QNAP Releases Qfix 1.0.1 to Path GNU Bash Vulnerability (http://www.techpowerup.com/205929/qnap-releases-qfix-1-0-1-to-path-gnu-bash-vulnerability.html)

Redhat - Solution (https://access.redhat.com/solutions/1207723)

Ubuntu - Solution (http://www.ubuntu.com/usn/usn-2363-2/)