[Commotion-dev] Commotion and Shell Shock
Ben West
ben at gowasabi.net
Thu Sep 25 12:48:11 EDT 2014
This requires access to the shell interpreter (in this case bash). So, an
exploiter would already need local execution privileges on the target
machine, which looks like is being accomplished through apache mod_cgi on
known exploits.
OpenWRT-based firmwares use uhttpd and luci for CGI apps, so the
ash/busybox binary presumably (?) wouldn't be involved.
Definitely run security updates on any Ubuntu/Debian/Redhat/OS X boxen,
though.
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
Ubuntu:
http://www.ubuntu.com/usn/usn-2362-1/
Debian:
https://lists.debian.org/debian-security-announce/2014/msg00220.html
https://lists.debian.org/debian-security-announce/2014/msg00221.html
Redhat:
https://access.redhat.com/announcements/1210053
https://access.redhat.com/articles/1200223
OS X (must recompile bash):
http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7
On Thu, Sep 25, 2014 at 9:53 AM, Dan Staples <
danstaples at opentechinstitute.org> wrote:
> The news about the Shell Shock/Bash bug[1] has gotten pretty big now.
> There's also a lot of rhetoric about this being a bigger deal than the
> Heartbleed vulnerability. I am wondering if it's worth putting up a
> quick blog post on the Commotion website that the router firmware is
> *not* vulnerable (since OpenWRT comes with the ash shell by default
> rather than bash).
>
> Thoughts?
>
> Dan
>
> [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
>
> --
> Dan Staples
>
> Open Technology Institute
> https://commotionwireless.net
> OpenPGP key: http://disman.tl/pgp.asc
> Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
> _______________________________________________
> Commotion-dev mailing list
> Commotion-dev at lists.chambana.net
> https://lists.chambana.net/mailman/listinfo/commotion-dev
>
--
Ben West
http://gowasabi.net
ben at gowasabi.net
314-246-9434
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.chambana.net/pipermail/commotion-dev/attachments/20140925/69debf68/attachment.html>
More information about the Commotion-dev
mailing list