7

I've been reading up about the remote bash exploit and was wondering how severe it is and if I should be worried, especially since a new exploit has been found after the patch release.

What does this mean for me as someone who uses Debian as my main desktop OS? Is there anything I should be aware of?

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
stanri
  • 996

1 Answers1

10

TL;DR (aka executive summary)

  • Yes, you should be worried.
  • Yes, this is severe (giving total strangers potential complete control over your files and resources).

You should definitely upgrade your desktop AS WELL AS any servers.

(https://security.stackexchange.com/questions/68156/is-connecting-to-an-open-wifi-router-with-dhcp-in-linux-susceptible-to-shellshoc)

Your DHCP client uses dhclient-script which uses shell variables passed from the server. If there's a rogue/compromised router, it may pass modified domain-name variables with the exploit.

Credits: Stéphane Chazelas, Mark, Michal Zalewski

In addition, many desktops use OpenSSH, which is definitely vulnerable as per http://seclists.org/oss-sec/2014/q3/650 (although for logged-in users - aka rogue insiders on your network). According to the original reporter of the bug, Stéphane Chazelas, the OpenSSH vulnerability is about bypassing ssh ForcedCommand settings.

Please note, however, that a full fix for the issue is not available yet (http://seclists.org/oss-sec/2014/q3/679).

See https://access.redhat.com/articles/1200223 for possible workarounds. Debian hasn't published the upgrade yet, and I haven't had the time to find a relevant discussion on their site.

(NB: Second a suggestion by terdon; it would be very nice if Stéphane Chazelas could write down a canonical Q&A on Shellshock.)

Community
  • 1
Deer Hunter
  • 1,866