A new bug has been found in the widely used BASH command interpreter used on many Linux and OSX systems.  This effectively puts at risk of being hacked many servers, PCs, Mac OSX systems, routers, websites and anything that uses the BASH command interpreter.  The vulnerability can be found in versions up to and including 4.3 and was discovered by Stephane Chazelas.

According to the NIST vulnerability database, which rates the flaw 10 out of 10 in terms of severity:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Authentication: Not required to exploit.

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service.

 

You can test your systems to verify if they are vulnerable by running the following command from the command line.  If you see the word “busted” then you will need to patch your system as soon as possible.

Security experts are saying this bug will be larger than the Heartbleed bug that caused so many problems just a while back.  The difference this time is that users will not need to run out and change their passwords for every website as before, and the responsibility for patching the problem falls mainly on System Administrators and Web Administrators.  For those that have OSX computers or use Linux at home you will want to check with your appropriate vendor for patches for this problem as soon as possible.

You can find out more information from this security bug from Red Hat as well as from an article from The Register.

As more information becomes available I plan on updating the blog post, so be sure and check back in the days to come for more links and information as patches become available.

Edited (09/26/14 – 02:00 am UTC)

Many vendors are already releasing patches for the issue.  For instance the two systems I use that have CentOS 6.5 and 7.0 running on them both had the patch available for download which I was able to run and install without incident.  After running the patch I ran the Bash test again as show above and received /bin/sh: warning: X: ignoring function definition attempt

Screenshot 2014-09-25 19.56.50

Apple has yet to release an update for OSX, however it should be forthcoming, and unless your system is Internet facing and running a web site, there is a good chance you are safe for the time being.  In any case, once the patch is available it would be wise to apply the patch, Internet facing or not.

Leave a Reply

Your email address will not be published. Required fields are marked *

10 + 1 =