Shell Shock Exploit

Can you guess what I was doing last night? If you guessed upgrading my servers you’re correct. The hits just keep on coming this year. Earlier there was a nasty exploit in the OpenSSL library, which a huge amount of software relies on, that allowed attackers to read arbitrary chunks of memory from a targeted server. Now a vulnerability in the Bourne Again Shell (Bash) has tossed a monkey wrench into the works as it allows the remote execute of commands:

Let me start with the CVE from NIST vulnerability database because it gives a good sense of the severity (highlight mine):

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

They go on to rate it a “10 out of 10” for severity or in other words, as bad as it gets. This is compounded by the fact that it’s easy to execute the attack (access complexity is low) and perhaps most significantly, there is no authentication required when exploiting Bash via CGI scripts. The summary above is a little convoluted though so let’s boil it down to the mechanics of the bug.

In the industry that is what we call bad news. So who’s vulnerable? Anybody using a system with a vulnerable version of Bash installed. Since Bash is an extremely popular shell amongst UNIX systems, including being the default shell in many Linux distributions and Apple OS X, there’s a lot of exploitable systems out there. But Microsoft users get to sit this one out.

If you run Linux updates Bash immediately. Apple hasn’t released a fix for this exploit yet but if you have Xcode installed you can compile a patched version of Bash or you can use Homebrew or Macports to install a newer version of Bash. And if you run a UNIX server and haven’t upgraded your system yet you better get your ass in gear.