Re: [ossec-list] Unix/Linux Bash: Critical security hole

Mon, 29 Sep 2014 06:32:20 -0700 



> On Sep 29, 2014, at 9:23 AM, dan (ddp) <[email protected]> wrote:
> 
>> On Fri, Sep 26, 2014 at 8:44 AM, cgzones <[email protected]> wrote:
>> And OSSEC uses bash to invoke diff for the syscheck option report_changes
>> (in syscheck as root). I did not investigate right now how severe this is.
> 
> Does it use bash or /bin/sh?


It calls system and the os picks the shell.  But the important but is can an 
environment variable be set by untrusted users.  If so this can be used exploit 
something.  I have been reviewing the code anything that allows ossec to setenv 
or getenv and right now we only use that in command used by root so no issue 
there.   

One area we need to look closely is authd and agentlessd 
> 
>>> On 26 Sep 2014 13:12, "Chard" <[email protected]> wrote:
>>> 
>>> Hi,
>>> 
>>> I'm guessing that you have all heard on the news recently about the
>>> security hole in Unix/Linux `Bash`.
>>> 
>>> http://www.zdnet.com/unixlinux-bash-critical-security-hole-uncovered-7000034021/
>>> 
>>> I don't think that this is the case, but does OSSEC use Bash shell
>>> commands via web HTTP or a Common-Gateway Interface (CGI), which could leave
>>> it venerable to attacks?
>>> 
>>> Thanks.
>>> 
>>> --
>>> 
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to [email protected].
>>> For more options, visit https://groups.google.com/d/optout.
>> 
>> --
>> 
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/d/optout.
> 
> -- 
> 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.






















					Reply via email to