The shellshock bug: the known unknowns make make me worry!
Sometimes you have a gut feeling. And sometimes you should trust this feeling. I personally believe that this shellshock bug is far more serious than Heartbleed. I say that for a number of reasons. When I first looked at the CVE database entry (cve-2014-6271) I saw that NIST had assigned it a score from 10 out of 10 that is pretty much as serious as it can get but was disclosing only little information that mentions some possible attack vectors such as the OpenSSH sshd and mod_cgi plus some mention of “unspecified DHCP clients” that is not quite understandable to me. Do I need to read this as “caution, although we mention mod_cgi” because it is present on half of the unix systems installed on this planet possible attack vectors could even include the DHCP deamon and a whole lot of stuff that we do not know (yet)”? Well, this is a known unknown to me. And whenever I have not enough information to make a fully qualified judgment this makes me suspicious and calls for some serious action.
OK, down to the facts. What are the known knowns? My colleague Erik Heidt did a deep dive and fiddled around with the bug in his lab. Erik found a few important points ( –until we know more, these are all preliminary by the way) to consider:
To learn more and to read the entire article at its source, please refer to the following page, The shellshock bug: the known unknowns make make me worry!- Gartner