Given the mod_cgi effects, especially for Nagios and other servers, I'd urge caution and stage environment testing before mass deployment.
Nico Kadel-Garcia Email: nkadel@gmail.com Sent from iPhone
On Wed, Sep 24, 2014 at 4:50 PM, Nico Kadel-Garcia nkadel@gmail.com wrote:
Given the mod_cgi effects, especially for Nagios and other servers, I'd urge caution and stage environment testing before mass deployment.
What is likely to break? And what things are likely to allow the attack? That is, besides ssh command restrictions, where can you set arbitrary env variables where you wouldn't have had access to execute a shell command directly.
On Thu, Sep 25, 2014 at 11:51 AM, Les Mikesell lesmikesell@gmail.com wrote:
On Wed, Sep 24, 2014 at 4:50 PM, Nico Kadel-Garcia nkadel@gmail.com wrote:
Given the mod_cgi effects, especially for Nagios and other servers, I'd urge caution and stage environment testing before mass deployment.
What is likely to break? And what things are likely to allow the attack? That is, besides ssh command restrictions, where can you set arbitrary env variables where you wouldn't have had access to execute a shell command directly.
It's very difficult to predict what will break in some weird flipping environments. The canonical cartoon about this is http://xkcd.com/1172/ . As I mentioned, Nagios and its use of 'mod_cgi' may be at risk.
Thinking about it, the git CentOS repository could possibly be vulnerable, depending on just how the git credentials are managed there I'd urge a check.
On 09/25/2014 08:41 PM, Nico Kadel-Garcia wrote:
Thinking about it, the git CentOS repository could possibly be vulnerable, depending on just how the git credentials are managed there I'd urge a check.
no shell out happens at git.centos.org
gitweb however, is exposed. As is anything that does a system() call.
On Fri, Sep 26, 2014 at 8:34 AM, Karanbir Singh mail-lists@karan.org wrote:
On 09/25/2014 08:41 PM, Nico Kadel-Garcia wrote:
Thinking about it, the git CentOS repository could possibly be vulnerable, depending on just how the git credentials are managed there I'd urge a check.
no shell out happens at git.centos.org
gitweb however, is exposed. As is anything that does a system() call.
Looks like a 2nd bash update was released today along with some nss-* packages. Is it necessary to do the nss-* update for this security issue?
On 09/26/2014 01:04 PM, Les Mikesell wrote:
On Fri, Sep 26, 2014 at 8:34 AM, Karanbir Singh mail-lists@karan.org wrote:
On 09/25/2014 08:41 PM, Nico Kadel-Garcia wrote:
Thinking about it, the git CentOS repository could possibly be vulnerable, depending on just how the git credentials are managed there I'd urge a check.
no shell out happens at git.centos.org
gitweb however, is exposed. As is anything that does a system() call.
Looks like a 2nd bash update was released today along with some nss-* packages. Is it necessary to do the nss-* update for this security issue?
No, the nss is a different issue, but it is also rated as an 'Important' security update.
On Fri, Sep 26, 2014 at 9:34 AM, Karanbir Singh mail-lists@karan.org wrote:
On 09/25/2014 08:41 PM, Nico Kadel-Garcia wrote:
Thinking about it, the git CentOS repository could possibly be vulnerable, depending on just how the git credentials are managed there I'd urge a check.
no shell out happens at git.centos.org
gitweb however, is exposed. As is anything that does a system() call.
Cool. I'm curious how you do it, but would understand not wanting to discuss that kind of security detail on a public mailing list.
Thinking further about it, if the web side uses something like Apache's 'mod_cgi', there are some separate risks there as well. I'd hope there's no inappropriate write access for the 'httpd' user, even if you're vulnerable. (I mention that for folks not as familiar with escalation attacks.)
On 09/26/2014 09:12 PM, Nico Kadel-Garcia wrote:
On Fri, Sep 26, 2014 at 9:34 AM, Karanbir Singh mail-lists@karan.org wrote:
On 09/25/2014 08:41 PM, Nico Kadel-Garcia wrote:
Thinking about it, the git CentOS repository could possibly be vulnerable, depending on just how the git credentials are managed there I'd urge a check.
no shell out happens at git.centos.org
gitweb however, is exposed. As is anything that does a system() call.
Cool. I'm curious how you do it, but would understand not wanting to discuss that kind of security detail on a public mailing list.
Thinking further about it, if the web side uses something like Apache's 'mod_cgi', there are some separate risks there as well. I'd hope there's no inappropriate write access for the 'httpd' user, even if you're vulnerable. (I mention that for folks not as familiar with escalation attacks.)
http://i.imgur.com/1NCi07n.jpg
-
Jim Perrin -
Johnny Hughes -
Karanbir Singh -
Les Mikesell -
Nico Kadel-Garcia