[GRLUG] CVE-2014-6271

Adam Tauno Williams awilliam at whitemice.org
Thu Sep 25 08:16:53 EDT 2014


On Wed, 2014-09-24 at 15:08 -0400, Mark Farver wrote:
> I think it is a stretch to label this remotely exploitable. 

Ditto.  This is a theoretical exploit of a system that has issues.

On the other hand updating bash should be pretty non-invasive.

> If an attacker has remote control of environment variables you have
> bigger problems.

Especially if the attacker has SSH access to the box!

FYI:
  1. The default setting in modern SSH versions is 
"PermitUserEnvironment no"
  2. The default value of "AcceptEnv" is empty set.
  3. There has been a warning about pushing environment variables via
SSH since I can remember.

Shell scripts via CGI on the other hand.... just pretty bad idea all
around IMNSHO.

-- 
Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA



More information about the grlug mailing list