[GRLUG] CVE-2014-6271

Adam Tauno Williams awilliam at whitemice.org
Thu Sep 25 08:16:53 EDT 2014

On Wed, 2014-09-24 at 15:08 -0400, Mark Farver wrote:
> I think it is a stretch to label this remotely exploitable. 

Ditto.  This is a theoretical exploit of a system that has issues.

On the other hand updating bash should be pretty non-invasive.

> If an attacker has remote control of environment variables you have
> bigger problems.

Especially if the attacker has SSH access to the box!

  1. The default setting in modern SSH versions is 
"PermitUserEnvironment no"
  2. The default value of "AcceptEnv" is empty set.
  3. There has been a warning about pushing environment variables via
SSH since I can remember.

Shell scripts via CGI on the other hand.... just pretty bad idea all
around IMNSHO.

Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA

More information about the grlug mailing list