Follow us

CVE-2014-6271 aka Shellshock Bash Bug

By | September 28, 2014 in General IT

CVE-2014-6271 aka Shellshock Bash Bug

Remember Heartbleed? Back in April, I was flooded with questions from our customers, so I wrote that blog post about it when the hype was about as big as Apple’s iPhone 6 announcement. Well, guess what? Five months later we’ve got a new vulnerability with an equally awesome name. Meet "Shellshock" - an awesome bug with the potential to be a as big as Heartbleed. Today, I wanted to put together something definitive, both for me to come to grips with the situation, and for others to separate the hype from the true underlying risk.

What Is Bash and Why Do We Need It?

Let’s start at the beginning. Bash is a *nix shell or in other words, an interpreter that allows you to orchestrate commands on Unix and Linux systems, typically by connecting over SSH. It’s been around since the late 80s where it evolved from earlier shell implementations (the name is derived from the Bourne shell) and is enormously popular. There are other shells out there for Unix variants, but the thing about Bash however is that it’s the default shell for Linux and Mac OS X, which are obviously extremely prevalent operating systems.

What Is the Vulnerability?

The flaw involves how Bash evaluates environment variables. With specifically crafted variables, a hacker could use this hole to execute shell commands. A good example could be an application calling a Bash shell command via web HTTP or a Common-Gateway Interface (CGI) in a way that allows a user to insert data using this vulnerability. The most dangerous circumstance is if your application calls scripts with super-user, aka root, permissions. In this case, your attacker could get away with "murder" on your server.

Are You Exposed?

You are probably asking yourself, "If I am not running Linux/Unix/Mac, am I exposed?" Short answer "no" and long answer "yes". I'll tackle the easy one first – Bash is not found natively on Windows and whilst there are Bash implementations for Windows, it's certainly not common and it's not going to be found on consumer PCs. It's also not clear if products like win-bash are actually vulnerable to Shellshock in the first place.

The longer answer is that just because you operate in a predominantly Microsoft-centric environment doesn't mean that you don't have Bash running on machines servicing other discrete purposes within that environment.

So What Should You Do?

Firstly, discovering if you’re at risk is trivial as it’s such an easily reproducible risk. There’s a very simple test — simply run this command within your shell:

env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"

If you get “busted” echoed back out, you’ve exploited the bug and are vulnerable.

Of course the priority here is going to be patching systems. Linux distros, such as Red Hat are releasing guidance on patching the risk, so jump on that as a matter of priority!

Are You a SysAid Cloud Customer?

As always, those using SysAid Cloud services can continue sleeping quietly at night knowing we already did all the necessary patching to make sure our systems are not exposed to Shellshock.

Image credit

Like this article? You may also like: CVE-2014-0160.

Please share your thoughts in the comments or on Twitter, Google+, or Facebook where we are always listening.

Joseph Zargari

About Joseph Zargari

As former VP Customer Relations, Joseph handled all customer support functions, including technical support, general queries, payments and the SysAid Community forum. With first-hand experience of SysAid products in the service desk environment, Joseph was a key source of input for SysAid’s design and development phases. In his free time, Joseph plays tennis, watches comedies, and does PHP coding.

Leave a Reply

Your email address will not be published.