1. Home
  2. Raspberry Pi Group
  3. Doesn't take them long...
  4. Page 2

Doesn't take them long...

The question is more a case of "how many people are running something they don't know?".

I wasn't vulnerable per se as my Debian machines had /bin/sh -> dash but bash was vulnerable on them and they all face the net. My NAS has a vulnerable bash which is a bit of a pain to upgrade. But that's behind the firewall so it's safe.

Or is it? The NAS is set to not check for upgrades yet the other day the led was flashing saying an upgrade was available. I can't trust it any more.

Same for the router. There's no info on whether it's Linux + busybox or what. I have rapidly come to the conclusion that if I don't know what software sits between my network and the world then I am effectively powerless. I'm in the market for a new router with 802.11ac and I'm only going to consider something that can be OpenWRT'd from the start.

So from now on, if I haven't got the source to what is facing the net, it doesn't get used. And yes, that does make me nervous using my smartphone and tablet.

Reply to
mm0fmf
Loading thread data ...

Hi,

And reboot all services impacted see checkrestart for information (in debian-goodies package).

Reply to
yamo'

It is not a shared library, it is a standalone program. Linux updates will update the file and all new instances run the updated version. Existing bash instances continue to run the old version until they exit, but in this particular case that isn't much of a problem.

Reply to
Rob

Indeed, but that makes the vulnerability seem a bit unexciting.

Reply to
Rob Morley

I think you're probably quite unusual. Few people have a dedicated IP based system on the internet at home, let alone an RPi. The vast majority of home based systems will be behind a NAT router as that's what virtually every ISP provides you with.

Even if your RPi does get broken into is there anything worth seeing on it? You'd be very silly to have your bank login details and such on it! :-)

--
Chris Green
Reply to
cl

So it upgrades itself via the NAT router, how does that make it vulnerable?

--
Chris Green
Reply to
cl

system() itself won'tn invoke a shell, unless you call a shell script with a system() call

Very rare fir most websites to use cgi-bin at all and even rarer to have it do a shell script, and rarest of all for it to be a bash shell script rather than /bin/sh.

Frankly if you just link to /bin/dash or /bin/csh or some such its enough on older systems

--
Everything you read in newspapers is absolutely true, except for the  
rare story of which you happen to have first-hand knowledge. ? Erwin Knoll
Reply to
The Natural Philosopher

This Raspberry Pi is at a colocation hoster with 2000 others. Each of them has IPv4 and IPv6 directly on the internet.

In this country bank login is done using 2-factor authentication. There is no such thing as "stored bank login details".

Still I don't want the script kiddies to have a shell on it.

Reply to
Rob

Read the fine manual page...

DESCRIPTION system() executes a command specified in command by calling /bin/sh -c command, and returns after the command has been completed. During execution of the command, SIGCHLD will be blocked, and SIGINT and SIGQUIT will be ignored.

There are lots of implementations where /bin/sh is a symlink to /bin/bash, and note that Debian gives you the option of using Dash, for /bin/sh - some systems may not excercise that option for a number of reasons.

Gordon

Reply to
Gordon Henderson

You are either very brave or very foolish. i would not expose any devise to the internet without placing it behind a firewall. even when I (think I) have everything nailed down on my system there it is wise to have redundant protection so that attackers have to get through multiple layers. This is what is meant by security in depth!

--
Once you've seen one nuclear war, you've seen them all.
Reply to
alister

I have a 100 or so Linux servers (physical and virtual) directly facing the Internet, and other hosting companies have thousands or millions of Linux server directly facing the Internet.

Of-course Linux is capable of running its own firewall, and my firewall is Linux based. What do I firewall the Linux based Firewall with?

Gordon

Reply to
Gordon Henderson

Of course there is a firewall on the thing. I see not much point in putting another firewall in front of that, I do want to have a webserver on it so what point is there in putting more and more firewalls in front of it when the software itself is vulnerable to attacks that a firewall won't block? (especially when they are not known beforehand. of course now I could setup a rule that blocks certain patterns in a http request)

Reply to
Rob

Agreed. I am running Linux server + iptables on the net at 1million + hits a day and its proved resistant to all attacks so far, and there are hundreds a day that get logged, and an unknown quantity that don't.

Iptables works and works well.

--
Everything you read in newspapers is absolutely true, except for the  
rare story of which you happen to have first-hand knowledge. ? Erwin Knoll
Reply to
The Natural Philosopher

NetBSD, obviously. :-)

Reply to
Rob Morley

And it would still be useful. A nefarious user might:

use it as a spam relay a ssh brute force attacker a private webserver serving up...illicit material[*] a NSA sniffer

Of course, you may notice an increased load and wonder "what the hell?"

[*] which could range from kitty pr0n to wikileaks to a clearing house for (Iranians|Chinese|Cubans) opposed to their governments 
--
Consulting Minister for Consultants, DNRC 
I can please only one person per day. Today is not your day. Tomorrow 
isn't looking good, either. 
I am BOFH. Resistance is futile. Your network will be assimilated.
Reply to
I R A Darth Aggie

Nah. a 3 grand cisco...

--
Everything you read in newspapers is absolutely true, except for the  
rare story of which you happen to have first-hand knowledge. ? Erwin Knoll
Reply to
The Natural Philosopher

Reasonable argument but a dedicated firewall distribution will have no unnecessary services installed so will present a lower attack profile. It would also be expected to have a better bas configuration that an average user could create.

an attacker would have to break the firewall before he could start on your server, Two attacks instead of one meaning you are more likely to spot it and protect against it before it does any damage.

In either case it is vital to actively monitor you systems (it is better to know you have a week system & monitor it that to think you have a secure system & ignore it)

--
I am NOT paranoid they ARE all out to get me!
Reply to
alister

Your super safe dedicated firewall with lower attack profile will do

*absolutely nothing* to protect the webserver from a bash attack when it is not regularly updated with pattern matching rules to detect attacks that are in the wild.

So it does not matter much if your system is behind such a firewall or not.

Reply to
Rob

Last I checked, there was one or two 802.11ac routers with OpenWRT support. Looks like there are a few more now totaling five. I'd like the router to have at least 32 MB of flash but 16 seems like the common thing now. My old OpenWRT router is using 96% of the 32 MB in it... Only one of the five has an auxiliary 256 MB flash chip.

Reply to
Anssi Saari

...and following up a few days later, I notice that the shellshock probes have vanished. Lots of the PHP vulnerability tests and so on, but no bash lines in environment variables.

There were just the first few, and it turns out that the very first were from someone doing a quick security scan. He linked to his blog in the agent string:

formatting link

I don't think he found much, because he didn't even look for a shell script.

-- Pete --

Reply to
Pete

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.