System admins scrambling to manage and patch the Bash Shellshock bug
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
September 26, 2014
Just about anywhere you can look since yesterday, sysadmins, IT departments all over the world and their users are scrambling to patch a severe 'Shellshock' security vulnerability in the Bash software found on Unix, Linux and OS X operating systems, as hackers from the four corners of the planet exploit the security bug in an attempt to compromise or crash servers and computers.
But as millions of servers, PCs and internet devices still lay vulnerable or are in the process of being updated, it's emerged that the fix is still incomplete.
The security flaw affects the GNU Bourne Again Shell, better known as Bash, which is a widely installed command interpreter used by many Linux, Unix and Apple's OS X operating systems.
It allows hackers to remotely execute arbitrary code on systems ranging from web servers, routers, enterprise servers and Mac computers to various embedded devices that use Bash, and anything else that uses the flawed open-source shell.
All an attacker needs is to simply inject his or her payload of code into the environment variables of a running process, and this is surprisingly easy to do, via Apache CGI scripts, DHCP options on servers, Open SSH and so on.
When that process or its children invoke Bash, the code is picked up and then executed. It's as simple as that.
Designated as CVE-2014-6271, the Bash flaw is being exploited in the wild against web servers, which are the most obvious targets but not by any means the only machines at risk in this context.
Patches released on Wednesday by Linux vendors, the upstream maintainers of Bash, and others for OS X, blocked these early attacks, but it's understood they do not completely protect Bash from code injection via environment variables, and that's where all the problem is.
New packages of Bash were rolled out on the same day, but further investigation made it clear that the patched version is still exploitable, and at the very least can be crashed due to a null-pointer exception. The incomplete fix is being tracked as CVE-2014-7169.
As we wrote this article, Red Hat was urging system admins to upgrade to the version of Bash that fixes the first reported security hole, and not wait for the patch that fixes the secondary lingering security vulnerability designated as CVE-2014-7169.
"Overall, CVE-2014-7169 is a less severe security issue and patches for it are being worked on as we speak," Red Hat said.
Meanwhile, although Ubuntu and other Debian-based Linux distributions have moved to using the non-vulnerable Dash over Bash, the latter may well be present or in use by user accounts.
Above all, check what shell interpreters are installed, who is using them, and patch CVE-2014-6271 immediately.
Source: Red Hat.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!