Shellshock resolution - is patching alone enough?

Latest response

I was researching a mess that a user left on a box and searching for (deleted) files with lsof (I'm sure many of you know what I am talking about ;-)

Anyhow.. I discovered the following in my output

PROCESS.s 13039       jboss  txt       REG              253,1     903336    1180605 /bin/bash (deleted)

Which I believe is due to the fact that the process was started, then bash was updated (replaced) leaving that orphaned file and remaining resident in memory.

Does anyone know if the comprimise vector only applies to when a new bash process is spawned? Or is it also an issue with the parents?

Thoughts?

Responses

Rebooting and/or restarting services isn't a bad thing, in general. In the specific case of bash & shellshock, the issue is that a newly started shell may execute unwanted code supplied by environment variables passed to it. A shell which is already running has either done that, based on malicious environment variables, or not. Assuming not, there is no security reason to restart it.

The primary redhat risks are DHCP clients of malicious servers (think hotel or coffee shop with rogue wifi access points) and CGI scripts called from web servers. The script doesn't have to be written in bash per se, it just has to call system() or popen() or anything else which will launch a bash shell. But after patching bash, it is not necessary to either restart the web server, or anything else.

-- Jim Leinweber, WI State Lab of Hygiene

For an "official" statement on the matter, you can check this page:

Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169)
  https://access.redhat.com/articles/1200223