Critical Bash bug opens Unix, Linux, OS X systems to attacks

The Bash “shellshock” flaw (CVE-2014-6271) was discovered last week by Unix/Linux specialist Stephane Chazelas, and its existence was made public on Wednesday.

It affects Bash, the command interpreter present on many Unix systems and systems based on it: various Linux distributions and Apple’s OS X.

It can be exploited by attackers looking to override or bypass environment restrictions to execute shell commands, i.e. unauthorized, malicious code.

The flaw is deemed critical for many reasons. For one, the number of affected devices is huge: think about all the web servers (including Apache ones) and embedded devices (routers, etc.) running on Linux, Mac computers… The number could very well be in the hundreds of millions.

Secondly, the US-CERT and NIST gave it the maximum score (10.0) for both impact and exploitability. Exploitation of the flaw can lead to unauthorized disclosure of information, unauthorized system access and modification, and disruption of service, and the exploitation process is extremely short and simple: it takes just a few lines of code.

According to CloudFlare security engineer Ryan Lackey, the flaw is already being exploited in the wild manually, and it’s just a matter of time until someone creates a worm and automates the attack and makes it jump from one vulnerable system to another.

Finally, the bug has been present for years and years, but it’s impossible to tell if it has been exploited in attacks before now.

Sean Gallagher has shared an easy way to check whether your Linux or Unix system is vulnerable, and the good news is that many of the popular Linux distros have already issued a patch.

“A GNU Bash patch is also available for experienced users and administrators to implement,” US-CERT noted in an alert.

While the patching itself is easy and can be executed quickly, the main problem for administrators will be to track down all the devices that are vulnerable, especially if their networks are vast and complex.

“Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed,” noted Errata Security’s Robert Graham.

“There’s little need to rush and fix this bug. Your primary servers are probably not vulnerable to this bug. However, everything else probably is. Scan your network for things like Telnet, FTP, and old versions of Apache (masscan is extremely useful for this). Anything that responds is probably an old device needing a bash patch. And, since most of them can’t be patched, you are likely screwed.”

Home users who must do the deed themselves are advised to regularly check websites of manufacturers whose devices (e.g. routers) they own for security updates solving the issue, and to implement those updates as soon as they can. That goes for OS X users as well.