Bash Bug

With security experts doing research every day to find vulnerabilities in our existing systems, here is another one. Stephane Chazelas, discovered a critical,
remotely exploitable security vulnerability in bash. Many have named this bug as Bash Bug, ShellShock etc.

This bug can be exploited to own up the sites or servers, potentially Apache/CGI are vulnerable to such attacks. However, SSH/GIT like systems which allow user to limit command usage can be exploited too.

This flaw stems up from the fact that bash like any other programming language allows to put functions into environment variables. When extra code is added to the end of these function definitions, the flaw triggers.

To identify that your system is vulnerable try something like this on your bash

env x='() { :;}; echo vulnerable’ bash -c ‘echo hello’

Now many people are claiming that this as big or bigger than Heartbleed. I concur with their statement because one Bash is a primary utility available in various Unix Like systems since 1980. Secondly many software leverage Bash for their purposes or objectives.  In addition to Linux Distros, MacOS X is also vulnerable to this bug.

Fortunately there patches available for Linux Distros for Mac OS X official patch may come up but before that you have may have to get down in detail to get vulnerability fixed

Here is a list of popular distributions of Linux with their patch URLs

Ubuntu

RedHat Linux Systems

For CentOS

Patches for Bash 3.0 to 4.3

For Mac OSX

Please note: We were not able to find Official Suse/Open Suse patches but they can patched by Patches from Bash 3.0 to 4.3 sources, but maintainers must working on the patch. But if you prefer official patches recommendation is to keep your non production systems off line and production systems close to your eyes.

 

Posted in Uncategorized.