Cisco Learning Network Store Promotions Page

9.25.2014

New Bash software bug may be even worse than Heartbleed

  
A security flaw in the GNU Bourne Again Shell (Bash) could leave systems running the software vulnerable to breaches and attacks. Dubbed Shellshock, the vulnerability is posing a bigger threat than the infamous Heartbleed bug, as it allows hackers to take complete control of a targeted system.
 

Discovered by Stéphane Chazelas, a French IT manager working in the UK, the bug is related to how Bash processes environmental variables passed by the OS or by a program calling a Bash-based script.
 
"An enormous percentage of software interacts with the shell in some fashion", said Errata Security's Robert David Graham in a blog post. "We'll never be able to catalogue all the software out there that is vulnerable to the bash bug".
 
The United States Computer Emergency Readiness Team (US-CERT), which is part of the Department of Homeland Security, has also issued an alert saying the vulnerability affected Unix-based operating systems including Linux and Mac OS X, advising users to obtain OS updates from software vendors.
 
While many of the major Linux distribution vendors, including RedHat, CentOS, Ubuntu, and Debian, have already issued a fix, Apple hasn't yet patched the shell. The vulnerability affects versions 1.14 through 4.3 of Bash.
 

To determine if your system is vulnerable you can run the following command:
 

env x='() { :;}; echo vulnerable' bash -c "echo this is a test" 
 
If the system is vulnerable, the output will be:
 
vulnerable
this is a test  

 

An unaffected (or patched) system will output:
 
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

 
For those unfamiliar, Bash is a command line interpreter produced by the non-profit Free Software Foundation. It's the default shell in most Linux distributions as well as Apple's OS X operating system.
 
~ Himanshu Arora

Related Posts

0 comments: