Innanzitutto, Shellshock è una famiglia di vulnerabilità non solo una ( CVE-2014-6271. CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, e CVE-2014-718 )
-it influenza i sistemi Unix e Unix.
Da Semantica
The vulnerability affects Bash, a common component known as a shell
that appears in many versions of Linux and Unix. Bash acts as a
command language interpreter. In other words, it allows the user to
type commands into a simple text-based window, which the operating
system will then run.
Bash can also be used to run commands passed to it by applications and
it is this feature that the vulnerability affects
1) se stai utilizzando la versione vulnerabile di bash (componente del sistema operativo che prende i comandi da te e passa al kernel e restituisce l'output) Allora sì, sei vulnerabile
2) potrebbe consentire a un utente malintenzionato di ottenere il controllo su un computer mirato se sfruttato con successo.
3)
Shellshock could potentially compromise millions of unpatched servers
and other systems. Accordingly, it has been compared to the Heartbleed
bug in its severity
The Shellshock problem is an example of an arbitrary code execution
(ACE) vulnerability. Typically, ACE vulnerability attacks are executed
on programs that are running, and require a highly sophisticated
understanding of the internals of code execution, memory layout, and
assembly language—in short, this type of attack requires an expert.
Attacker will also use an ACE vulnerability to upload or run a program
that gives them a simple way of controlling the targeted machine. This
is often achieved by running a "shell". A shell is a command-line
where commands can be entered and executed.
4)
The vulnerability lies in the fact that an attacker can tack-on
malicious code to the environment variable, which will run once the
variable is received.
Più letti:
link
link
link
link