As has been widely reported in the news recently by Reuters, CNN and other sources, Stéphane Chazelas, an IT manager working for a software development company in Scotland, has discovered a possibly devastating bug on the commonly used Unix shell, bash. The bug, tagged as ‘shell shock’, has been classified by Red Hat as ‘catastrophic’ in severity. Cybersecurity firm Rapid7 rated it with a severity level of “10”, the maximum; and a complexity of exploitation rating of “low”, which means that attacks are relatively simple and easy for hackers.
Produced by the non-profit Free Software Foundation, bash is one of the more common shells in Unix systems. Although Open iT applications only use the shell to execute binaries and hard-coded commands (Open iT actually uses ksh for its own scripts) and do not in any way make the system especially vulnerable to external attacks, other services and applications may allow hackers to insert environment variables that will allow them to exploit this vulnerability to gain control of machines and server systems.
Red Hat had initially deployed a patch (CVE-2014-6271) to remove this vulnerability. However, the patch was found “incomplete” by some technology security researchers. As of September 26th, Red Hat deployed a new patch (CVE-2014-7169) to address this concern.
To find out if the system is vulnerable to shell shock, Red Hat recommends running the following command:
$ env x=’ () { :;}; echo vulnerable’ bash –c “echo this is a test”
If the above command outputs the following:
vulnerable
this is a test
then the system has a vulnerable version of bash. On the other hand, the system is free from shell shock if the output of the above command looks like this:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for ‘x’
this is a test
It is important to update the system’s bash version if it is found to be vulnerable. To patch a vulnerable system, LinuxNewsPro recommends the following commands.
For CentOS, Fedora, Red Hat and the like:
$ yum –y update bash
For Debian, Ubuntu and the like:
$ sudo apt-get update && sudo apt-get install –-only-upgrade bash
Run the diagnostic test again after patching the system to make sure that it is now safe from the shell shock bug.
Sources:
https://access.redhat.com/articles/1200223
http://www.reuters.com/article/2014/09/24/us-cybersecurity-bash-idUSKCN0HJ2FQ20140924
http://money.cnn.com/2014/09/24/technology/security/bash-bug/index.html