14 DAY TRIAL // On Wednesday, a security flaw in the GNU Bourne Again Shell (Bash) command interpreter used in many Linux and Unix systems was disclosed, and given its ubiquity, it could turn out to be as thorny a problem as Heartbleed.
Discovered by Stéphane Chazelas, the bug has been dubbed Shellshock and it is available in the command shell versions 1.14 through 4.3. It took more than two decades to be discovered and because Bash is used in many Linux systems, as well as Mac OS X, it is easy to understand its severity.
Shellshock poses the risk of remote code execution by abusing the environment variables after processing trailing commands in functions, which opens the door for code injection attacks. All products using the buggy Bash to parse values of environment variables are vulnerable.
The shell can be invoked in many ways by applications, one of them consisting in simply executing a different binary file; and in many cases, it is run in the background for different tasks (executing commands, parsing scripts, remote connection).
Patching is a thorny problem
Because it is open-source, Linux is an operating system employed in a large number of products, from Apache web servers to home devices such as routers and cameras; and with the Bash bug being around for so long, it has been integrated in a lot of products, which are now at risk of being hijacked.
“Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world,” says security expert Robert Graham.
According to the vulnerability (CVE-2014-6271) details, OpenSSH and some DHCP clients are impacted on systems running Bash. However, it appears that the major attack vector consists of HTTP requests to CGI scripts, used for generating dynamic content on web pages and web apps.
Patch available for major Linux distributions
Patching up Bash is of utmost importance and the developers of Ubuntu (14.04 LTS, 12.04 LTS and 10.04 LTS), CentOS (5 through 7) and Debian are already offering the fix.
Red Hat also provided a patch for CVE-2014-6271, but it was incomplete and created a new issue, CVE-2014-7169, which is still to be addressed.
A simple way to test if the Linux/Unix system is vulnerable to Shellshock is to input the following string in the command line:
Shellshock
bash: error importing function definition for `x'
Shellshock
Getting a safe version of Bash on the system should be top priority, especially since proof-of concept (PoC) code for exploiting CGI scripts has already been made available.