Worse Than Heartbleed? ‘Shell Shock’ Bash Vulnerability Hits Linux, OS X Boxes

Written by Joe Kozlowicz on Thursday, September 25th 2014 — Categories: Security

unlocked padlockNews of a Bash vulnerability is spreading across the web today, and Green House Data has received multiple inquires from customers about the state of Linux servers, which are susceptible to the exploit. This bug allows remote code execution, so it could be used to distribute malware, run additional exploits, or access data. Bash is a command interpreter that is bundled with many distributions of Linux and Unix. Systems at risk include websites, servers, OS X Macs, routers, and other connected devices.


What is at risk?

The vulnerability is found in Bash versions up to 4.3. When assigning a function to a variable, the program executes trailing code, allowing code injection. It doesn’t require authentication, and allows unauthorized access to data, modification of data, and disruption of service.

Web servers running CGI scripts, e-mail clients, web clients that pass files to any external programs: all of these common environments are vulnerable to the Bash vulnerability.

Hackers have been using the bug to steal passwords, download malware, and even open and close CD drives to mess with some poor SysAdmins somewhere.

Ubuntu and Debian systems, or any box that relies on Dash instead of Bash, are supposedly not at risk.

It is unclear just how much damage might occur from this vulnerability; some are claiming that it could take down or slow the internet for hours or even days as admins stave off hacking attempts and Linux distributors continue releasing patches.


How do I fix my vulnerability?

Linux distributions have been scrambling to release patches, but they are still in progress and many are only temporary fixes. Green House Data technicians are actively working to scan servers for the vulnerability and are maintaining firewall and monitoring countermeasures.

For a quick test to see if a Linux box is vulnerable, open a terminal and
execute the following:

env x='() { :;}; echo vulnerable' bash -c “echo this is a test”

If vulnerable, it will display:

this is a test

This exploit can occur if the environment variable being sent is in the form of a function. The call “() { :;};” essentially creates a function. Bash will parse anything after this function call. In this case, “echo vulnerable” will be executed as well as anything after that.


Download GNU Patches: http://seclists.org/oss-sec/2014/q3/685



Download RedHat Patches: https://access.redhat.com/articles/1200223


Read more about the ‘Shell shock’ vulnerability: