Skip to main content

Bug in Bash shell creates big security hole on anything with *nix in it


The Bash vulnerability, now dubbed by some as "Shellshock," has been reportedly found in use by an active exploit against Web servers. Additionally, the initial patch for the vulnerability was incomplete and still allows for attacks to succeed, according to a new CERT alert. See Ars' latest report for further details, our initial report is below.

A security vulnerability in the GNU Bourne Again Shell (Bash), the command-line shell used in many Linux and Unix operating systems, could leave systems running those operating systems open to exploitation by specially crafted attacks. “This issue is especially dangerous as there are many possible ways Bash can be called by an application,” a Red Hat security advisory warned.

The bug, discovered by Stephane Schazelas, is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network–based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

Because of its wide distribution, the vulnerability could be as wide-ranging as the Heartbleed bug, though it may not be nearly as dangerous. The vulnerability affects versions 1.14 through 4.3 of GNU Bash. Patches have been issued by many of the major Linux distribution vendors for affected versions, including:

Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
CentOS (versions 5 through 7)
Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
Debian

A test on Mac OS X 10.9.4 ("Mavericks") by Ars showed that it also has a vulnerable version of Bash. Apple has not yet patched Bash, though it just issued an update to "command line tools."

While Bash is often thought of just as a local shell, it is also frequently used by Apache servers to execute CGI scripts for dynamic content (through mod_cgi and mod_cgid). A crafted web request targeting a vulnerable CGI application could launch code on the server. Similar attacks are possible via OpenSSH, which could allow even restricted secure shell sessions to bypass controls and execute code on the server. And a malicious DHCP server set up on a network or running as part of an “evil” wireless access point could execute code on some Linux systems using the Dynamic Host Configuration Protocol client (dhclient) when they connect.

There are other services that run on Linux and Unix systems, such as the CUPS printing system, that are similarly dependent on Bash that could be vulnerable.

There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

vulnerable
 this is a test

An unaffected (or patched) system will output:

 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

The fix is an update to a patched version of the Bash shell. To be safe, administrators should do a blanket update of their versions of Bash in any case.

Popular posts from this blog

Samsung Galaxy S5 Review and Giveaway

Few smartphones are as aggressively marketed as Samsung’s Galaxy S5. The S5 can no longer be considered brand-new — but it  is  Samsung’s flagship, at least for the next few months. With a gorgeous screen, a capable camera, a waterproof build, and a user-replaceable battery, the Galaxy S5 has a lot to offer… at least on paper. Let’s find out how good it really is. What Makes This Review Different There are about a million Galaxy S5 reviews out there. Why should you read this one? Two keys points make our review different: We bought our own device . Unlike many tech blogs, we don’t use a review unit Samsung gave us. We went out to the store and bought one, just like you would. This means everything you read here is truly impartial – we owe Samsung nothing. We used it for more than a month . Some sites rush to be the first to publish a review on a new device. That’s not how we do things. I used the Galaxy S5 as my main (and only) Android phone for nearly two months,...

ASUS VivoBook X202E Windows 8 Touchscreen Laptop Review And Giveaway

It wasn’t very long ago when prices of touchscreen Windows 8 laptops soared beyond $1000. Thankfully, those days are behind us, and portable computers can easily be purchased – touchscreen and all – for under $500. That’s precisely the demographic in which the ASUS VivoBook X202E falls. When compared to a high-end laptop, its specifications might seem modest, but for laptop buyers just looking for a way to browse the web, watch videos, use basic apps, and not spend too much money, something in this budget is perfectly suitable. The question is, of course, how does the ASUS VivoBook X202E compare to others on the market, and is it the one which you should be spending your hard-earned money on? Well, you’re just going to have to keep reading to find out. Best of all, we are giving away an ASUS VivoBook X202E to one lucky winner. Keep reading for your chance to take home this Windows 8 touchscreen laptop! Introducing the ASUS VivoBook X202E Laptop The ASUS VivoBook X202...

Samsung Galaxy Note 3 N9000 Review and Giveaway

When it comes to massive phones, nothing is more iconic than the Samsung Galaxy Note. It has gained popularity not only due to its size, but its additional features such as a stylus and a larger battery make it a more useful phone. Samsung released the third generation of the Galaxy Note in October, updating the phablet with a larger screen and improved hardware. Read through our review, then join the giveaway to win the  Samsung Galaxy Note 3 ! Competitors Of course, other Android competitors haven’t let the $640  Galaxy Note 3  be the only player in the phablet market. There are others such as the  Sony Xperia Z Ultra , the Samsung Galaxy Mega , and the other more common phones that are reaching 5″ screens such as the  Samsung Galaxy S4 , the  HTC One , and the  Nexus 5 . Unlike the normal-sized top contenders, the Galaxy Note 3 has a bigger screen and larger battery. It also offers specific features (surrounding the S Pen stylus) th...