Major Bash vulnerability affects Linux, Unix, Mac Os x (shell shock)

http://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x

 

This is actually a remote vulnerability, the Threatpost article just does a horrible job explaining it.

http://seclists.org/oss-sec/2014/q3/650

Edit: also I have to say, it says incredibly horrible things about the design of UNIX OSes that a vulnerability in the *local* command shell can make services vulnerable *that should not provide any access to said command shell, ever*.

 

Hi Gullible,

This vulnerability has been around since day one of the World Wide Web in browserland - notably since the Mosaic browser - i.e. it has nothing to do with the design of UNIX OSes - it is an implementation feature of how the browser makers designed that particular interface to execute whatever functionality. IOWs, there was no scrutiny whatsoever regarding security back in the day - which haunts us to this day.

 

Not sure I follow, as this is mainly a web service vulnerability, not a browser one? Or are you talking about CGI?

 

The way the CGI is implemented via the Bash interface has never been secure!

 

I'm not talking about CGI scripts implemented in bash, more that any compromised process can export an environment variable and have bash pick it up and execute it...

Although when you get down to it, the problem there is more DAC than UNIX specifically.

I guess my point is, a vulnerability in a strictly local command shell should not translate into a remote exploit in a web service on a sanely configured server. Apache etc. should not be able to just export whatever into the user's environment. One vulnerable local program should not instantly create a remote hole.

Edit: actually it's even worse than that, since in the case of DHCP clients it seems that stuff gets exported always, without any compromise of the client being necessary. Connect to a rogue server -> BOOM, instant root command shell.

This is just incredibly stupid. The entire job of a command shell like bash is to execute arbitrary commands, that's what is designed for; web services and client programs should never, ever depend on it not executing stuff for security. That's just ridiculous.

 

From Jim Finkle at Reuters:
New 'Bash' software bug may pose bigger threat than 'Heartbleed'
http://www.reuters.com/article/2014/09/24/us-cybersecurity-bash-idUSKCN0HJ2FQ20140924

 

Update from Red Hat on 25 Sep :

https://access.redhat.com/articles/1200223

 

I believe I made no reference to 'scripts'. Since this vulnerability is a targeted attack - it is unlikely that it would have been uncovered in either design reviews or massive testing without a security vulnerability approach. Also, hindsight won't cure the problem unless a concerted effort is undertaken to comprehensively assure that both design/implementation reviews in concert with security tools target such vulnerability possibilities.

See the following article at ArsTechnica:
Bug in Bash shell creates big security hole on anything with *nix in it.

-- Tom

 

Sorry, I guess I'm having some trouble articulating what I mean here...

What I'm trying to say is, we have web services/clients/etc. depending on a command shell to be secure. And a command shell is, by definition, designed to execute arbitrary code. The flexibility of a command shell is inimical to any kind of security.

Edit: sorry for using dubious adjectives above BTW (I realize "incredibly stupid" is kind of inflammatory). The state of the art in industrial/enterprise computing is pretty amazing, but it still leaves a lot wanting, pretty much across the board.

 

http://arstechnica.com/security/201...bility-grows-as-exploit-reported-in-the-wild/

 

Looks like OpenWrt router firmware (based on Linux) is not affected: https://forum.openwrt.org/viewtopic.php?id=52937

That's good to know.

 

http://www.nytimes.com/2014/09/26/t...hellshock-software-bug-to-be-significant.html

 

Everything you need to know about the Shellshock Bash bug.

Troy Hunt gives a detailed analysis of Shellshock derived from various sources.

-- Tom

 

From Bash-ing Into Your Network – Investigating CVE-2014-6271:

 

Hackers Are Already Using the Shellshock Bug to Launch Botnet Attacks

http://www.wired.com/2014/09/hackers-already-using-shellshock-bug-create-botnets-ddos-attacks/

 

http://blog.trendmicro.com/trendlab...exploit-emerges-in-the-wild-leads-to-flooder/

 

http://threatpost.com/patching-bash-vulnerability-a-challenge-for-ics-scada

 

Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability).

Related: Shellshock Bash Vulnerability Tester.

-- Tom