Home > Programming, Servers & Scripts > Hosting, Servers & Security

Shellshock! The New Heartbleed, And What It Means For You (9)

09-26-2014 10:15 AM #1 IanAtSTM (Member)
Shellshock! The New Heartbleed, And What It Means For You

Yes, there's a new killer bug out there. The news broke this week about a vulnerability that can leave some Linux and Mac computers - including remote servers - wide open to attack.

It goes by the catchy title of CVE-2014-6271, but seeing as that doesn't exactly roll off the tongue, it's been dubbed 'Shellshock'.

What does it do?

'Shellshock' is so called because it's a flaw in the 'shell' software - known as Bash - that many computers - including Linux servers and Macs - use so that commands can be typed in.

This 'shell' isn't only used when you're directly typing commands in. Other software makes use of it too.

In simple terms, 'Shellshock' could allow someone who's interacting with your machine in innocent-looking ways, to sneak malicious extra instructions in there.

In theory, this could allow an attacker to end-run right round your security, control your machine and access your data.

Don't Panic!

This sounds pretty bad, but we aren't doomed.

For a start, it isn't certain just how bad the vulnerability really is. In practice, it might well turn out that attackers can't do nearly as much with it as is feared.

Also, older software is much more likely to be at risk. Most Affiliate Marketing tracking software, for example, was created quite recently and is not quite as likely to be open to this. I'm not saying that there is no risk, mind you, but the risk is less.

What's more, developers have released patches to close this hole, and there are simple checks that you can run in order to check whether you're at risk.

The patches are still a work in progress at the time of writing - for example, the developers of the 'Fedora' version of Linux have outright said that they haven't got a complete solution yet - but you should probably be taking action now rather than waiting for that.

Is my machine at risk?

First up, if it's just a Windows machine, it's not going to be directly affected.

If it's a Mac, or a Linux/Unix machine, or if it's a server that runs on Linux (meaning pretty much all of them!) then it might well be.

Yes, that's right - the servers that host your tracking software and your landing pages are most likely be under threat.

If it's Linux/Unix or Mac OS, and you have SSH root access, you can follow the simple guide in this article to check if your machine is at risk.

http://www.expertreviews.co.uk/inter...m-the-bash-bug

If you're on managed hosting, or you don't have shell access (such as some cPanel users), you may wish to contact your server hosts to ask them to check and act on this. Any decent server host should already be becoming aware of this, and should be in the process of taking action.

Do I really need to do anything at all?

Yes. Better safe than sorry. While there's doubt about how bad this actually is, there's a lot of potential for damage. So if you're not sure whether to act on this, act.

If my machine is at risk, what do I do?

There's a patch out for 'Bash', the software that's got the flaw in it. You should make sure that the patch has been applied to any servers you're running or working with.

If you've got SSH (root) access to your server, you can use the following commands to apply the latest patches to your Linux version and to Bash itself.

For Linux

Make sure that you patch your Linux and Bash installations to the latest versions.

For Debian-based versions of Linux, such as Ubuntu, the command is

sudo apt-get update && sudo apt-get install bash

For CentOS or Fedora, use

yum update
yum update bash

For Mac OS

When security updates become available, make sure that you download them immediately.

Further reading for the technically-minded

http://www.expertreviews.co.uk/inter...han-heartbleed

http://www.troyhunt.com/2014/09/ever...now-about.html

http://www.theregister.co.uk/2014/09/24/bash_shell_vuln

http://lcamtuf.blogspot.co.uk/2014/09/quick-notes-about-bash-bug-its-impact.html

09-26-2014 10:21 AM #2 cmdeal (Veteran Member)

So anything on Windows machines and on ASP.net hosting is fine?

09-26-2014 10:30 AM #3 dario (Member)

Originally Posted by cmdeal

So anything on Windows machines and on ASP.net hosting is fine?

Exactly, this time the news are for the *nix world

09-26-2014 10:34 AM #4 IanAtSTM (Member)

From what's known at the moment, neither of these should be affected.

The problem is specifically with 'Bash', and neither of these use Bash.

09-26-2014 10:41 AM #5 zeno (Administrator)

I edited your links - seems like '/'s were missing?

I logged into an Ubuntu and CentOS VPS, both were vulnerable. Using the native package manager and updating fixed it on Ubuntu but not yet on CentOS.

09-26-2014 12:44 PM #6 caurmen (Administrator)

Good stuff!

DO NOT ignore this vulnerability in your servers - it could completely screw your campaigns if for some reason your tracking or lander hosting is vulnerable.

09-26-2014 04:50 PM #7 Mr Baffoe (Veteran Member)

As of now CentOS seems to be only partially patched.

Def a big enough deal to keep an eye on this until you are fully patched.

09-26-2014 05:07 PM #8 dario (Member)

According to Beyond Hosting support, their servers have been patched already

09-26-2014 06:20 PM #9 constantin (Member)

my centos servers are unaffected but my macbook pro is vulnerable with no patch . thanks for the heads up

Home > Programming, Servers & Scripts > Hosting, Servers & Security