[Owasp-leaders] ​'Bigger than Heartbleed': Bash bug could leave IT systems in shellshock

Kevin W. Wall kevin.w.wall at gmail.com
Sat Sep 27 04:48:29 UTC 2014


On Thu, Sep 25, 2014 at 9:35 AM, Fabio Cerullo <fcerullo at owasp.org> wrote:
> Just months after Heartbleed made waves across the Internet, a new security
> flaw known as the Bash bug is threatening to compromise everything from
> major servers to connected cameras... Great discussion for the Internet of
> Things security folks.
>
> http://www.cnet.com/news/bigger-than-heartbleed-bash-bug-could-leave-it-systems-shellshocked/

In many web servers, this is not exploitable. It is if you are using
CGI with something like
Perl or PHP and maybe Ruby, so it's still a a big issue, but if you
are just a Java shop, probably
not. And if you are a Windows ASP.NET shop, obviously not an issue
from IIS (although
Cygwin's bash is vulnerable). NVD does not calculate the CVSSv2 scores using the
environmental impact (for obvious reasons as they can't know this), but at both
the company that I used to work for and where I am now employed, I would think
that it is likely very few web servers are exploitable.  The ones
where I wonder about
though are the cheapo home routers and NAS devices both which are
often built on a
stripped down Linux and frequently use Perl CGI for web interfaces.
Some printers too
are probably in this same category. All of them that are using Linux
likely have a
vulnerable version of bash and it's doubtful that most of those will
never get firmware
upgrades to fix them so they may be vulnerable to drive-by style
attacks. For the near
future, those are probably more prevalent than IoT devices.

-kevin
P.S.- And speaking of the Internet of things, I'm going on record now
to say that there
    ain't no way I'm going to allow any toaster, refrigerator, or any
other appliance of
    mine to connect to the Internet from my house. Before you know it,
the oven would be
    ordering out for pizza to get a date with a toaster and 9 months
later, there
    would be little baby toaster ovens running all around the house.


More information about the OWASP-Leaders mailing list