Shellshock the hyperbola and reality

bashdb-breakThere has been a lot about the Shellshock vunlnerability in the media, that has it’s roots in the bash command line tool on Linux and Unix environments. for hackers, coders and system administrators there are issues that should be checked out.

However whenever I see security horror shows like we have seen recently, I am reminded that many of these are dangerous for the unsophisticated, lazy and stupid. Unsophisticated users may create websites with many security issues and not know what to avoid. The lazy are those professionals who don’t take proper steps when settting up systems and machines, the stupid, I reserve for the arrogant who fail to secure systems.

In looking at this issue, there is much hyperbola, such as in this article and this self serving one. Symantec want’s to sell software. This is not going to lay waste to the internet.

A few facts. For most Mac users, shell scripting using bash is not enabled and Apple added security on top of its unix. Small home routers generally use smaller scale implementations of linux, using busybox, largely for performance reasons. Windows computers are not a problem, at least for this issue. Most large systems are likely sitting behind firewalls and many linux and unix systems can’t be accessed from the outside. The vulnerability is predominantly related to systems that lie outside of firewalls and webserver software. Even commodity webhosting platforms like cpanel/whm have auto update running and update software without human intervention.

Here is a list of security tips that can help.

  1. Disable cgi on apache or remove ExecCGI from vhosts.
  2. If you run php on Apache. engable suphp to tighten security.
  3. disable shell access for accounts that webservers run under, particularly apache.
  4. Use a more modern apache, or nginx and run what ever you can under fast-cgi, which is more secure.
  5. Enable security plugins like mod_security on apache, and the suhosin module, howeber suhosin can be overkill for some users, remove it with care.
  6. Remove cgi scripts or if they are absolutely necessary secure them.
  7. Do not run applications like bugzilla on mod_cgi unless they are not accessible beyond the firewall.
  8. Remove bash as the default shell on system accounts.
  9. Update bash.
  10. disable and remove vulnerable software outside of the firewall.