I just tried some older virtual routers, and they are:
root@r-163-VM:~# env x='() { :;}; echo OOPS' bash -c /usr/bin/true
OOPS
bash: /usr/bin/true: No such file or directory
That said, you can only ssh to them from the local hypervisor. Not sure if
there’s any exposure on the http side.
Running apt-get update && apt-get install bash patches the bash vuln.
I’ll put together a formal statement.
On Sep 26, 2014, at 6:55 AM, Ian Duffy
<[email protected]<mailto:[email protected]>> wrote:
Tried this against the latest system vms built on Jenkins.
Didn't get a successful exploited response. Tested against http://systemvm
- public-ip/cgi-bin/ipcalc
On 25 Sep 2014 16:56, "Abhinandan Prateek"
<[email protected]<mailto:[email protected]>> wrote:
After heart bleed we are Shell shocked
http://www.bbc.com/news/technology-29361794 !
It may not affect cloudstack directly as it is a vulnerability that
affects bash, and allows the attacker to take control of the system running
bash shell.
-abhi
Stratosec - Secure Finance and Heathcare Clouds
http://stratosec.co
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>
