As most of our visitors are already aware, this week saw the disclosure of a very serious security flaw in the “Bourne-again Shell,” bash. (See: CVE-2014-6271, and CVE-2014-7169.)
The flaw allows remote execution of arbitrary commands by the shell if an attacker can cause data to be passed to the shell as the value of a shell environment variable.
Despite reports to the contrary saying that a 2011 change (CVE-2011-0997) to dhclient prevents exploitation of this flaw, ISC has confirmed that the DHCP client provided as a part of ISC DHCP can be used to exploit the bash vulnerability if the operator of a rogue DHCP server passes a specially constructed value as the payload of a DHCP option field.
For this and many other reasons, all users running a vulnerable version of bash are advised to update to a secured version as quickly as possible.
Postscript: Readers will naturally want to know whether other ISC products can be used to exploit this condition. We know of no vulnerability in the ISC DHCP server or in BIND 9 that can be used as a vector to exploit the bash flaw. We nevertheless strongly recommend that the best course of action is to upgrade to a secure version of bash due to the seriousness of this flaw.
What's New from ISC
Update posted June 27th, 2024 This was not the fraud we thought it was We have learned that emails we originally identified as abuse were sent by an external contractor engaged by ISC to conduct a focussed and short-term lead generation campaign.
Read post
ISC’s software engineering team is thrilled to announce the release of Kea 2.
Read post