You are here

Big Linux Security Hole Found

6 posts / 0 new
Last post
Shortwave
Big Linux Security Hole Found

Big Linux Security Hole Found

http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-se...

A security vulnerability in the GNU Bourne Again Shell (Bash), the command-line shell used in many Linux and Unix operating systems, could leave systems running those operating systems open to exploitation by specially crafted attacks. “This issue is especially dangerous as there are many possible ways Bash can be called by an application,” a Red Hat security advisory warned.

Risk Assessment / Security & Hacktivism
Bug in Bash shell creates big security hole on anything with *nix in it
Could allow attackers to execute code on Linux, Unix, and Mac OS X.

by Sean Gallagher - Sept 24 2014, 4:45pm EST

Share
Tweet

119
Whoops. Mac OS X's Bash shell is vulnerable to remote execution attacks.
Sean Gallagher

A security vulnerability in the GNU Bourne Again Shell (Bash), the command-line shell used in many Linux and Unix operating systems, could leave systems running those operating systems open to exploitation by specially crafted attacks. “This issue is especially dangerous as there are many possible ways Bash can be called by an application,” a Red Hat security advisory warned.

The bug, discovered by Stephane Schazelas, is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network–based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

Because of its wide distribution, the vulnerability could be as wide-ranging as the Heartbleed bug, though it may not be nearly as dangerous. The vulnerability affects versions 1.14 through 4.3 of GNU Bash. Patches have been issued by many of the major Linux distribution vendors for affected versions, including:

Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
CentOS (versions 5 through 7)
Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
Debian

A test on Mac OS X 10.9.4 ("Mavericks") by Ars showed that it also has a vulnerable version of Bash. Apple has not yet patched Bash, though it just issued an update to "command line tools."

While Bash is often thought of just as a local shell, it is also frequently used by Apache servers to execute CGI scripts for dynamic content (through mod_cgi and mod_cgid). A crafted web request targeting a vulnerable CGI application could launch code on the server. Similar attacks are possible via OpenSSH, which could allow even restricted secure shell sessions to bypass controls and execute code on the server. And a malicious DHCP server set up on a network or running as part of an “evil” wireless access point could execute code on some Linux systems using the Dynamic Host Configuration Protocol client (dhclient) when they connect.

There are other services that run on Linux and Unix systems, such as the CUPS printing system, that are similarly dependent on Bash that could be vulnerable.

There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

vulnerable
this is a test

An unaffected (or patched) system will output:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

The fix is an update to a patched version of the Bash shell. To be safe, administrators should do a blanket update of their versions of Bash in any case.

nibs
Thanks for the heads up

ConCen was vulnerable. Since an update was available, updating the server fixed the issue.

pax
obligatory obscure comment

abashed the nix men stood and felt how awful vulnerability is :P

nibs
Pax wrote:
Pax wrote:

abashed the nix men stood and felt how awful vulnerability is

:-}

pax
bugs not fixed yet!

Further flaws render Shellshock patch ineffective
Powered by SC Magazine
By Juha Saarinen on Sep 29, 2014 10:19 AM (13 hours ago)
Filed under Security

inShare4
0 Comments
Patched systems remain vulnerable.

The Shellshock vulnerability in the commonly used Bash command line interpreter shell is likely to require more patches, as security researchers continue to unearth further problems in the code.

Google security researcher Michal "lcamtuf" Zalewski has disclosed to iTnews that over the past two days he has discovered two previously unaddressed issues in the Bash function parser, one of which is as bad as the original Shellshock vulnerability.

"The first one likely permits remote code execution, but the attack would require a degree of expertise to carry out," Zalewski said.

"The second one is essentially equivalent to the original flaw, trivially allowing remote code execution even on systems that deployed the fix for the initial bug," he added.

Common vulnerabilities and exposures numbers CVE-2014-6277 and CVE-2014-6278 have been assigned to the vulnerabilties.

Zalewski has discussed the vulnerabilities with the groups that volunteer to maintain Bash and to Linux OS vendors directly involved in attempting to resolve the original Shellshock vulnerability.

"We want to give people some time to update before we share additional details," Zalewski said.

After the initial disclosure of the Shellshock bug, Zalewski and fellow security researchers Florian Weimer and Tavis Ormandy expressed concern over the continued exposure of the underlying attack surface in Bash.

The three researchers have called for a more robust approach to addressing the issue, and also found a troubling pattern of vulnerabillities in CVE-2014-7186, CVE-2014-7187 and CVE-2014-7169 that Zalewski said suggests the Bash parser may be unsafe.

There is an unofficial patch ready, Zalewski said and he recommends users apply it urgently.

"Somewhere in the middle of all this, Florian Weimer developed an unofficial patch that mitigates this and all future problems in the bash function parser by shielding it from remotely-originating data.

"As of today, this patch is already shipping with several Linux distributions, but many users will need to update manually," he added.

Zalewski has written a technical analysis of the Shellshock bugs, describing what work was undertaken to patch them and calculating the impact of the combined vulnerabilities.

He notes that Shellshock can go beyond web server common gateway interface (CGI) scripts on modern Linux systems where the /bin/sh command shell is a symbolic link to /bin/bash.

A range of web apps written in PHP, Python, C++ or Java could be vulnerable if they use calls to functions such as popen() or system(), as these are backed by calls to /bin/sh -c in turn, Zalewski notes.

Zalewski also addressed the length of time it has taken to discover the Bash bug:

"As for the inevitable "why hasn't this been noticed for 15 years" and "I bet the NSA knew about it" stuff - my take is that it's a very unusual bug in a very obscure feature of a program that researchers don't really look at, precisely because no reasonable person would expect it to fail this way. So, life goes on."

Meanwhile, researchers are assembling proofs of concept code that can be used to exploit Shellshock.

Rob "mubix" Fuller has started up the Shellshocker-pocs repository on Github for this purpose, and it contains exploits against PureFTPd, SIP VoIP proxies, the Qmail mail server, SSH secure shell, and dynamic host control protocol (DHCP) IP address allocation servers.

Read more: http://www.itnews.com.au/News/396256,further-flaws-render-shellshock-pat...

h3rm35
Surprise! everything is vulnerable to the right coder!

not really though. I'd still rather have a linux system than windoze.

Log in to post comments