The recently identified Bash vulnerability has created some stressful days for diehard Linux users. Also called “Shellshock,” “Bashdoor,” and the “Bash Bug,” this vulnerability is potentially more serious than
Heartbleed.
Bash (a.k.a., the Bourne Again Shell) is a command-line Unix shell processor that has become so common it’s nearly ubiquitous in Unix and Linux installations today. Being a Unix shell, the Bash vulnerability also affects Apple Mac OS X installations.
Taking a marketing queue from Heartbleed — though lacking a snazzy logo — the bug is being referred to as Shellshock, and its potential consequences could be severe if left unaddressed.
“When accessed properly,”
The Verge writes, “the bug allows for an attacker’s code to be executed as soon as the shell is invoked, leaving the door open for a wide variety of attacks.”
Security researcher Robert Graham has noted that the Bash bug “interacts with other software in unexpected ways.” For example, the vulnerability will be particularly impactful on one of the most talked-about buzzwords this year: The Internet of Things.
“Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts,”
Graham writes. “Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.”
You are safe from Shellshock at Managed.com
If you just want the bare-bones of the issue: Your Managed.com Linux server is updated and protected from the Shellshock Bash bug vulnerability.
Bash is preinstalled on CentOS as its default shell. For the majority of our servers, we apply CentOS as the main distribution (customers may, however, install a different distribution on their server). All of our Linux servers that run cPanel / Plesk with CentOS are set — again, by default — to automatically run updates.
Since Red Hat labeled the Shellshock bug as a “critical vulnerability,” the update was quickly pushed through and applied to all CentOS servers.
As part of our normal security evaluation process, we determined that the Shellshock vulnerability required swift action. That’s why our engineers were quick to apply the Bash update throughout our Linux environments.
While cPanel / Plesk is set to run critical updates by default, some users may have elected (for various reasons) to turn off automatic updates. If this is the case — and with the continued discovery of new exploits diverging from the initial Shellshock bug — we recommend you turn on automatic updates so you receive these critical patches. None-the-less, our engineers have applied this fix to every Linux environment in our network.
If you have a custom server, or if you have chosen to install Bash through a different Linux distribution, your system may be at risk and you should update Bash immediately. (Note that additional vulnerabilities are
still being found within the main Bash bug, so further updates will be required in the future.)
Apple has already released an
OS X Bash Update 1.0 on their site to address the vulnerability within their operating system. The bash update is recommended for all Apple users. If you are using an older version of Mac OS X, such as Lion, Apple has released Bash updates for previous versions of their operating system, as well. Go to their
downloads page and search for “Bash Update.”
The Shellshock Bash bug may have a long tail
Linux installations of Bash, however, will take much longer to root out and fix. And, quite simply, the tech community will probably never find all of them.
Noted Microsoft MVP for Developer Security, Troy Hunt, put this into perspective in a recent
blog post. He points out that everything through version 4.3 of Bash is affected by the vulnerability. “… or, in other words, about 25 years’ worth of Bash versions. Given everyone keeps comparing this to Heartbleed, consider that the impacted versions of OpenSSL [in Heartbleed] spanned a mere two years, which is a drop in the ocean compared to Shellshock.”
Due to this, the effects of Shellshock will be with us for years. Hunt continues, “… whichever way you cut it, the breadth of at-risk machines is going to be significantly higher with Shellshock than what it was with Heartbleed.” (Emphasis Hunt’s.)
The NIST vulnerability database rates the Shellshock vulnerability a “10 out of 10,” Hunt notes. The severity of the issue should not to be understated.
New Bash vulnerabilities unearthed
Now,
Mashable reports, new common vulnerabilities and exposures (CVE) have been found in the Shellshock bug in the past few days.
Graham says that Shellshock is going to be with us for a while; and it will be impossible to completely eliminate it.
“Note that the thing with the Heartbleed bug wasn’t that the Internet was going to collapse, but that it’s in so many places that we really can’t eradicate it all,” Graham
writes. “Thus, saying ‘as bad as Heartbleed’ doesn’t mean your website is going to get hacked tomorrow, but that a year from now we’ll be reading about how hackers got in using the vulnerability to [do] something interesting.”
As always, we take any new security issue very seriously. We will continue to monitor the Shellshock issue, and keep a close eye on its development.
UPDATE: According to
Ars Technica, the SANS Technology Institute’s Internet Storm Center has elevated the threat level of the Shellshock vulnerability to yellow, indicating that an attack could pose “a minor threat to the Internet’s infrastructure as a whole.” That is to say, it’s not just a threat to a handful of servers and devices, but the entire internet.
------
Works Cited / For Further Reading:
Everything you need to know about the Shellshock Bash bug. (
TroyHunt.com)
Worse than Heartbleed? Today’s Bash bug could break security for years. (
The Verge)
Shellshock Continues: more vulnerabilities discovered. (
Mashable)
Apple Mac OS X Bash Update 1.0. (
Apple)
Apple Mac OS X Support Downloads Page. (
Apple)
Shellshock fixes beget another round of patches as attacks mount. (
Ars Technica)
Published: September 30, 2014 at 4:37 PM