What is the Shellshock Bash bug?
By now you may have heard about a new bug found in the Bash shell.
This bug, nick named “Shellshock”, affects the Unix command shell “Bash,” which happens to be one of the most common applications in those systems. This vulnerability affects the shell known as Bash (Bourne Again SHell), which is installed on *Nix machines.
All of our managed dedicated, cloud and shared servers are already patched.
BUT, WHAT IS IT?
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
Let’s start with your computer. If you have a Linux system, open the Terminal and run this line of code:
env x='() { :;}; echo vulnerable’ bash -c ‘echo this is a test’
If you see the word “vulnerable” as an answer, your system is, well… vulnerable.
Your Bash shell is simply running more code after a function (the “() { :;};” part), and that shouldn’t be happening. The function is the “allowed” code, while everything after it is where the potentially “malicious” code could be installed.
WHAT CAN AN ATTACKER DO?
A server has to listen to requests. This means that by requesting almost any data and running malicious code, an attacker can infect any affected server, which is about 60 percent of web servers out on the internet, most routers (even your home router) and many consumer devices (including security cameras and “smart” appliances — which don’t seem so smart right about now). This is because smart appliances are a form of servers.
HOW CAN THIS PROBLEM BE SOLVED?
It’s simple to solve this problem. Many software developers have already issued patches and more are being released by the hour. Two of the most popular Linux distributions, Red Hat and Ubuntu, already have patches available. Updating a system takes almost no time. It’s a simple process and it’s a common task for most users.