Question:
Should I be worried about ShellShock?
?
2014-09-25 10:23:33 UTC
I'm kind of having trouble understanding "Shellshock" completely, because of my limited knowledge of UNIX/Linux. So, the bugs are listed here:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

My understanding of it is that there seems to be some flaw in the way BASH was designed that allows hackers to manipulate the bash scripts a system is running or processing. Is that correct?

Most of the students at my school use TCSH by default when we access our school's server, but I switched my default shell to BASH so I can learn it and put it on my resume.

I don't run or have any BASH scripts, so I'm wondering is there anything I should be worried about?

I also saw some instructions on recompiling BASH, but is that for our schools UNIX admin to worry about, and not me?

PS: I don't use OSX and I removed any Linux distros I had on my laptop long time ago
Four answers:
jplatt39
2014-09-25 12:21:51 UTC
Moderately worried. It looks like ShellShock targets servers. What is the old saying, you are using Linux every time you type a question into Google? M$ uses Linux servers too (yes I'm a Microsoft hater but that they do and were at the height of their calling Linux a cancer has been documented. As have the many long-standing contracts which make calling them anything worse than hypocrites for it absurd. Be worried but there isn't much you can do beyond your own machine.
Lokesh
2014-10-05 09:04:07 UTC
Yes, you should be worried about shell shock if you are using any one of below:

1. Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid) that are written in Bash or launch to Bash subshells

2. Certain DHCP clients

3. OpenSSH servers that use the ForceCommand capability

4. Various network-exposed services that use Bash



Complete article on how to fix shellshock is below:

http://www.hackingloops.com/2014/09/how-to-fix-shellshock-bash.html
Greywolf
2014-09-26 05:05:54 UTC
1. If you are not a web server, forget about it.

2. You have not said which Linux distro you are on - my Mint was already patched before the announcement, and I expect any recent release will be also.

3. If you feel like, there is a simple test to see if you are vulnerable http://lifehacker.com/how-to-check-if-your-mac-or-linux-machine-is-vulnerable-1639211806
?
2014-09-25 22:29:48 UTC
The patch has already sent out.


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Loading...