Bash Shell Vulnerabillity – Security Threats to LINUX/UNIX Machine

Bash Shell Vulnerabillity – Security Threats to LINUX/UNIX Machine

  • bash shell vulnerability, security vulnerabilities

A bug discovered in the widely used GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The command interpreter poses a critical security risk to Unix and Linux systems since this flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system. It lands countless websites, servers, PCs, OS X Macs, various home routers, and more, in danger of hijacking by hackers.

Critical instances where the vulnerability may be exposed include:
Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn subshells
Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities
Allow arbitrary commands to run on a DHCP client machine, various Daemons and SUID/privileged programs
Exploit servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

Systems Affected
GNU Bash through 4.3
Linux, BSD, and UNIX distributions including but not limited to:

A CVSS scored of 10 (the highest) has been calculated for this vulnerability for both impact and exploitability (“High” impact with CVSS Impact Subscore 10 and “Low” on complexity, which means it takes little skill to perform). CVE-2014-6271 has a working patch for most distributions, however there are reports that the patch is not a complete fix and so a further vulnerability ID has been established, CVE-2014-7169
You can check if you’re vulnerable by running the following lines in your default shell, which on many systems will be Bash. If you see the words “busted”, then you’re at risk. If not, then either your Bash is fixed or your shell is using another interpreter.
env X=”() { :;} ; echo busted” /bin/sh -c “echo completed”
env X=”() { :;} ; echo busted” `which bash` -c “echo completed”

Regarding the ICS environment, ICS-CERT also has published some information related to this vulnerability, refer to ICS-CERT
Please keep vigilant especially for those who are using LINUX/UNIX based machine that considered to be object of this vulnerability, ensure your security policy is adequate and manage control the ICS access (physical and logical),
A more detail information including the proposed (temporary) solution for this vulnerability can be found at US-CERT TA14-268A
And for the source of the vulnerability summary from National Vulnerability Database (NVD) can be found at CVE-2014-7169 and CVE-2014-6271
Please remind update by referring to those respected sources for any further solutions and vulnerability fix up,
FedCo International


Leave Reply

Your email address will not be published. Required fields are marked *