Bash bug. We’re not talking about what to do when we find a cockroach – we’re talking about CVE-2014-6271/CVE-2014-7169, a remote vulnerability in what is arguably the most popular Unix/Linux command interpreter, and all versions of it since 1994 through…oh…now. This potentially allows virtually any hacker to get any (full) access to almost any non-Windows device, including servers (webservers, database servers, etc), Apple computers, firewalls, routers, NAS storage devices, and more. (See: http://thehackernews.com/2014/09/bash-shell-vulnerability-shellshock.html) Basically, it involves constructing the contents of a *nix environment variable which appears as an empty function and includes some command to execute. This can be exploited in various ways, such as by supplying rogue data to CGI programs. Here is an example from Symantec which demonstrates exploitation by altering a browser user agent string.

So how do you tell if your system is vulnerable? The following command should tell you:

$ env X=”() { :;} ; echo Be Afraid” `which bash` -c “echo Done.”

If you enter this command in a terminal window and see “Be Afraid” in the output, your system is at risk. Update bash.

# yum update bash

 

This vulnerability is vast, because bash is everywhere, because Unix and Linux are everywhere. However, updates are available from major vendors, and patches to bash are available from the GNU Project.

The nutshell takeaway is to update systems which can be updated, and limit access to those which cannot be patched. Remember that external access directly to an affected device may not be necessary if lateral access can be had via another compromised internal system.

 

Photo: https://twitter.com/naehrdine/status/516231347460116480