Shellshock: It’s as if Flesh-Eating Bacteria Were Poised to Eat Your Server

arghAnd all your linux-embeded devices with any Internet access. From the sound of it, that’s about how bad the “shellshock” bug in Bash is:

A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux, and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271. This affects Debian as well as other Linux distributions. The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Another attack surface is OpenSSH through the use of AcceptEnv variables. Also through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation.

— Slashdot, Remote Exploit Vulnerability Found In Bash.

Shellshock name spotted on Errata Security (good blog BTW), and the faithful INQ, which shares the cheerful fact that the NIST vulnerability database “rates the flaw 10 out of 10 in terms of severity.”

Update: It looks as if patching severs will be easy – mine is already done. The real problem will be patching devices with embedded linux. To achieve that the consumer needs (1) to know the device exists, is connected to the internet, and is under your control — all sometimes much less obvious than one might imagine; (2) the device has to be patchable; (3) there has to be a patch; (4) the consumer has to know where to go to get the patch; (5) the consumer has to be able to apply it.

Internet of Things considered dangerous?

Update2: This is a nice test for the Shell Shock / shellshock vulnerability:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If it returns something like

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

You are fine. But if it says,

vulnerable
this is a test

Then you have the bash bug.

This entry was posted in Software, Sufficiently Advanced Technology. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.