pixel_dreams - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

In Heartbleed's wake, Bash shell flaw puts Linux, Mac OS users at risk

Experts say a 20-year-old vulnerability uncovered in the Bash shell, found in Unix-based operating systems including Linux and Mac OS, could lead to a dangerous worm outbreak unlike anything seen in more than a decade.

A major security flaw found in the Unix-based Bourne Again Shell, widely known as Bash, featured in both the Linux and Mac OS X operating systems could not only leave millions of systems open to exploit and rival the scope of the Heartbleed OpenSSL vulnerability, but experts say it may also set the stage for the biggest worm outbreak in more than a decade.

Discovered by UK-based Unix expert Stéphane Chazelas, the Bash vulnerability, also known as Shellshock or CVE-2014-6271, actually dates back more than 20 years and is present in every shell version up to 4.3.

US-CERT's National Vulnerability Database has rated the flaw's severity as a "10.0," which is the highest possibly severity, based on the common vulnerability scoring system, in large part because it is so easily exploited: The bug can be triggered remotely without any form of authentication.

Huzaifa Sidhpurwala, a security engineer with open source software firm Red Hat Inc., based in Raleigh, N.C., wrote in a blog post yesterday that the Bash vulnerability can be exploited by creating specially crafted environment variables with code that is executed as soon as the Bash shell is called. The flaw arises, according to Sidhpurwala, because Bash allows limited functions to be put into these environment variables. An attacker, Sidhpurwala said, need merely add extra code to the end of a function to exploit the bug.

Sidhpurwala also noted that only the content, not the names, of the variables is relevant, meaning the flaw could be exploited in a variety of ways. For instance, an Apache server using mod_cgi or mod_cgid could be affected if those CGI scripts are written in Bash, according to the Red Hat blog post, and the Bash flaw could be used to provide arbitrary command execution in situations where ForceCommand is used in sshd configurations for remote users.

Robert Graham, CEO of Errata Security, said in a blog post that the widespread nature of the Bash shell is one of the reasons why this flaw is "as big a deal as Heartbleed."

"The bug interacts with other software in unexpected ways. We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion," said Graham. "Thus, we'll never be able to catalogue all the software out there that is vulnerable to the Bash bug. This is similar to the OpenSSL bug: OpenSSL is included in a bajillion software packages, so we were never able to fully quantify exactly how much software is vulnerable."

Bash could lead to Code Red/Nimda-level worm outbreak

Though the potential pervasiveness of this flaw is clear, the impact of potential exploits has not been fully established yet.

However, late Wednesday Graham confirmed that Bash is wormable and that not only are thousands of Internet systems vulnerable, but also that at least one attacker is already exploiting the flaw by delivering malware payloads using Graham's own masscan port-mapping tool.

Security advancements in the past decade have largely cast aside the types of vulnerabilities that could be widely exploited by an Internet worm, which is defined by former Arbor Networks researchers Jose Nazario, Thomas Ptacek and Dug Song as a self-propagating executable that spreads directly from system to system without human intervention.

But Securosis analyst and CEO Rich Mogull in a blog post Thursday said Bash's omnipresence and the flaw's wormability are cause for great concern.

"That places it into Code Red/Nimda territory. A workable bug that can exploit public Web servers is scary. We don't know for sure, Rob doesn't know for sure, but it looks very, very possible," Mogull said. "Potential worms are like staring at the smoking volcano while the earthquakes stir your martini -- they aren't the sort of thing you can wait for definitive proof on before taking seriously."

The National Vulnerability Database listing explained that the Bash vulnerability could allow for the unauthorized disclosure of information, unauthorized modification and disruptions in service. Jim Reavis, CEO of the Cloud Security Alliance, said in a blog post that that the bug could be used to set headers in Web requests and set weird MIME types.

Bash flaw: Test and patch immediately

Reactions throughout the security community indicate that the flaw's severity warrants immediate patching efforts. Linux variants CentOS, Debian, Ubuntu and Red Hat have already provided patches, though Red Hat has since pulled its patch, explaining that its original patch is "incomplete" and that the company is continuing to work on the issue.

A US-CERT advisory also provided a GNU Bash patch, but warned that only experienced users and admins should implement it.

For enterprises unsure of whether a system is vulnerable, Red Hat said to run the following command:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output reads "vulnerable … this is a test," then a vulnerable version of Bash is present.

Graham encouraged companies to look beyond systems typically associated with Bash and scan for Telnet, FTP and older versions of Apache, as well as video cameras and Internet of Things devices.

"Anything that responds is probably an old device needing a Bash patch," said Graham in a blog post. "And, since most of them can't be patched, you are likely screwed.

"Unlike Heartbleed, which only affected a specific version of OpenSSL, this Bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug," Graham continued. "The number of systems needing to be patched, but which won't be, is much larger than Heartbleed."

Dig Deeper on Emerging cyberattacks and threats

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

To find the version of bash. Use following command "bash --version" in the terminal.
So our home broadband routers, most of them runnintg on some version of LINUX..... how do we test thoise and how do we patch them?