Bash Bug: What you need to know

Sep292014

Last Wednesday the web was on high alert after the discovery of the Bash Bug (also known as ShellShock and BashDoor). A vulnerability discovered in the UNIX bash shell with the potential of being much worse than HeartBleed, this year’s earlier gaping security flaw.

Let’s start from the top:

Bash is the command line shell used as the backbone to systems running UNIX. Most web servers are run on UNIX based operating systems as they are the most adept at handling large volumes of traffic. The vulnerability lies in defining a function in an environment variable and appending bash commands to that function definition. Simply put, the appended command is not supposed to be allowed to run but unpatched versions of Bash do not throw an error with this extraneous code, they run it. Daemons (processes running on a server) use Bash commands to perform their tasks and are thus susceptible to this vulnerability. Other major web software such as Apache, PHP and CGI also have the potential of being exploited by ShellShock.

So why is ShellShock so bad? Whereas Heartbleed was a vulnerability which left servers open to eavesdropping on data held on the server, ShellShock allows attackers to actually run commands on a system remotely which opens up the possibility for unprecedented attacks.

Aside from web servers, desktops and laptops with bash are equally vulnerable. Mac systems on OSX and higher are threatened and Apple has as of yet been able to provide a solution for their users. Also users on UNIX based operating systems such as Ubuntu also run Bash as their command line interpreter. If you have reason to believe you are in danger you can run this simple and safe text command to check:

1. Open a terminal window

2. Paste in this command: env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

3. If you see the word “vulnerable” written back to you, your system is vulnerable. Unaffected systems will throw Bash errors or only show the line “this is a test”.

Here at bv02 we have been tirelessly patching all the servers we have access to and notifying our clients of the potential dangers since late last week.

A look into the source code for Bash indicates this vulnerability has been around since version 1.3 which dates back to 1992.

In the wake of The Bash Bug and Heartbleed, the eyes of the tech world will be closely monitoring the services and software we use every day. A look into the source code for Bash indicates this vulnerability has been around since version 1.3 which dates back to 1992. The actual vulnerability was discovered September 12th, a full 12 days before it was announced giving the creators of the bash shell time to have a patch ready when it was announced. Vulnerabilities like this could conceivably be anywhere, even in our most trusted software. Constant vigilance and testing is required to keep one step ahead of those looking to exploit the holes in the code we use every day.

Links:

Patch your Mac system.
Errata Security tests how widespread the vulnerability across the internet
Ars Technica Explains the Bash Bug

Skip to sharing

2 responses to “Bash Bug: What you need to know”

  1. Thanks for this Thomas. I used Apples official update for patching my system. Found it here. http://support.apple.com/kb/DL1769