Meine Blog-Liste

  • end of life - Good morning, as you may have already found out, the posts on this blog have been getting less and less. This is caused by the fact that my two honeypots h...
    vor 2 Jahren

Sonntag, 28. September 2014

This week in security Week 39

This is my review of the biggest security of last week. caused by a lot of trouble within the bash, there are only two topics this week.

Mozilla will phase out SHA-1 certificates. As reported in a blog post caused by an increasing  amount of attacks against this 20 year old standard, Mozilla will drop the support for SHA-1 certificates . CAs and server operator should renew their certificated switching to a newer standard. The timeline shows that they will accept these certificates until 2017/01/01.

A bash vulnerability was found. It was reported as CVE-2014-6271. Described in an very easy way, bash is currently vulnerable to code injections. As many services are using bash, for example the DHCP client, malicious servers might can inject code on the client server and execute it.
When recalling the news this week, it seems that nothing was as important as this fraud to the bash. So lets get a bit in more detail. Many Proof Of Concepts has been published this week, what they all have in common is that you need to have an service using the bash and this service should be available from the external network.

As taken from the bug description, here is the (first) list of possible frauds:
  • Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn GNU Bash subshells, or on any system where the /bin/sh interface is implemented using GNU Bash.
  • Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities. This data path is vulnerable on systems where the /bin/sh interface is implemented using GNU Bash.
  • Allow arbitrary commands to run on a DHCP client machine.

So, whats bad in this case: If you use bash as a cgi language in your web-service you should fix this bug. If you use servers within a data-center and your provider assigns your ip address via DHCP you should fix your systems and talk to your provider.
All in all it isn't easy to inject calls into your bash from an external network. Or at least it should not be a easy. So in all cases, updates are provided, fix your system. If unsure, maybe you are running an outdated version which will not receive any updates. Should down the service which you think is maybe influenced and test it.
The IBM intrusion detection solution is using a mechanism to avoid shell injection since 7 years.