If you are running just about any Unix or Linux variant (including Apple Mac), or embeded device that uses bash and/or a web-server with CGI that can call bash.
How do you protect yourself?
1. If possible disable any remote system access from the Internet, or non-secure internal network.
2. Try to replace scripts that use bash to use another shell
There are some FREE Linux automated scanning tools that can help you see if you are vulnerable:
http://www.trendmicro.com/us/security/shellshock-bash-bug-exploit/bash-lite-tools/index.html
Free online scanners:
https://filippo.io/Heartbleed/
https://lastpass.com/heartbleed/
https://sslanalyzer.comodoca.com/heartbleed.html
https://pentest-tools.com/vulnerability-scanning/openssl-heartbleed-scanner
https://www.ssllabs.com/ssltest/
The way to test for yourself is:
Vulnerable
# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test
Safe
[root@XXXXXX ~]# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test
No comments:
Post a Comment