Shellshock resolution - is patching alone enough?
I was researching a mess that a user left on a box and searching for (deleted) files with lsof (I'm sure many of you know what I am talking about ;-)
Anyhow.. I discovered the following in my output
PROCESS.s 13039 jboss txt REG 253,1 903336 1180605 /bin/bash (deleted)
Which I believe is due to the fact that the process was started, then bash was updated (replaced) leaving that orphaned file and remaining resident in memory.
Does anyone know if the comprimise vector only applies to when a new bash process is spawned? Or is it also an issue with the parents?
Thoughts?
Responses
Rebooting and/or restarting services isn't a bad thing, in general. In the specific case of bash & shellshock, the issue is that a newly started shell may execute unwanted code supplied by environment variables passed to it. A shell which is already running has either done that, based on malicious environment variables, or not. Assuming not, there is no security reason to restart it.
The primary redhat risks are DHCP clients of malicious servers (think hotel or coffee shop with rogue wifi access points) and CGI scripts called from web servers. The script doesn't have to be written in bash per se, it just has to call system() or popen() or anything else which will launch a bash shell. But after patching bash, it is not necessary to either restart the web server, or anything else.
-- Jim Leinweber, WI State Lab of Hygiene
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.