A bug discovered in Bash, a widely used command interpreter, poses a critical security risk to Unix and Linux systems, security experts said. And lest you are tempted to dismiss the problem as just being a server issue, remember that Mac OS X uses Bash. Many experts warn it may be worse than Heartbleed.

The vulnerability is present in most versions of Bash, from version 1.13 to 4.3, according to Stephane Chazelas, a Unix and Linux network and telecom administrator at Akamai , who first disclosed the bug. The Computer Emergency Response Team (CERT) at the Department of Homeland Security warned in an alert that if exploited, the vulnerability could allow a remote hacker to execute malicious code on an affected system. The NIST vulnerability database has rated the bug 10 out of 10 in terms of severity.

"This vulnerability is potentially a very big deal," said Tod Beardsley, engineering manager at Rapid7.

The vulnerability has to do with how Bash handles environment variables. When assigning a function to a variable, any extra code in the definition will also be executed. So all an attacker has to do is somehow append a bunch of commands in that definition—a classic code-injection attack—and they will be able to remotely hijack the affected machine. Chazelas and other researchers who have looked at the flaw have confirmed that it is easily exploitable if the code is injected into environmental variables, such as the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in Apache HTTP Server, or scripts which set the environment for DHCP clients.

"A large number of programs on Linux and other UNIX systems use Bash to set up environmental variables which are then used while executing other programs," Jim Reavis, chief exec of the Cloud Security Alliance, wrote in a blog post.

Inevitable Heartbleed Comparison

Consider two things about this vulnerability: Linux/Unix servers are widely used in data centers around the world as well as on embedded in many devices; the vulnerability has been present for years. Because Bash is so widespread, the comparison to Heartbleed, the vulnerability in OpenSSH that was discovered back in April is inevitable. Robert Graham of Errata Security has already dubbed the flaw ShellShock.

But is it Heartbleed 2? It's a little hard to tell. It's definitely a serious issue, because it gives attackers access to the command shell, which is the golden ticket to being able to do whatever they want on that machine.

Let's think in terms of size. Apache Web servers power the tremendous majority of Websites in the world. As we learned during Heartbleed, there are a lot of non-Linux/Unix machines that use OpenSSH and Telnet. And DHCP is instrumental in making it easy for us to hop on and off networks. This means that in addition to computers and servers, it is possible that other embedded systems, such as routers, are also vulnerable to hijacking. Errata Security's Graham—who has done some of the most thorough analysis of the bug so far— performed some scans and easily found a few thousand vulnerable servers, but it's a little hard at this point in time to estimate the magnitude of the problem.

However, the Heartbleed flaw was present just by having a vulnerable version of OpenSSL installed. This bug is not as straightforward.

"It's not as 'simple' as 'be running Bash,'" Beardsley said. For the machine to be vulnerable to attack, there needs to be an application (like Apache) taking in user input (like a User-Agent header) and putting it into an environment variable (which CGI scripts do), he said. Modern Web frameworks will generally not be affected, he said.

This may be why Graham said while ShellShock is as severe as Heartbleed, "there's little need to rush and fix this bug. Your primary servers are probably not vulnerable to this bug."

But before we freak out about routers and embedded devices (and the Internet of Things), keep in mind that not all systems use Bash. Ubuntu and other Debian-derived systems may use a different command interpreter called Dash. Embedded devices frequently use one called BusyBox, which is not vulnerable, Roel Schouwenberg, a senior researcher at Kaspersky Lab, said on Twitter.

Vulnerable or Not?

You can check if you're vulnerable by running the following commands (code provided by the CSA). Open a terminal window and enter the following command at the $ prompt:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you're vulnerable it'll print:

vulnerable

this is a test

If you've updated Bash you'll only see:

this is a test

Normally, I would say go ahead and patch right away, but it turns out the available patches are not complete. There are still ways to inject commands via environment variables even after patching Bash, Red Hat said this morning. If you just have a handful of machines, it may be worth going ahead and applying the available patches, but if you have thousands of machine to patch, maybe it's worth waiting a few more hours. All the upstream Linux distributions (and hopefully Apple!) are working on a fix right now.

"Remember, even if you have never heard of Bash before, or don't run it, you may very well have software running on your computer which spawns Bash processes," said independent security consultant Graham Cluley.

Further Reading

Business Reviews