Major Bash Vulnerability Affects Linux, UNIX, Mac OS X

  • 24 September 2014
  • 14 replies
  • 4 views

Userlevel 7
Badge +54
by Michael Mimoso   September 24, 2014 , 3:30 pm

A critical vulnerability in the Bourne again shell, simply known as Bash and which is present in most Linux and UNIX distributions and Apple’s Mac OS X, has been discovered and administrators are being urged to patch immediately.

The flaw allows an attacker to remotely attach a malicious executable to a variable that is executed when Bash is invoked.

“It’s super simple and every version of Bash is vulnerable,” said Josh Bressers, manager of Red Hat product security. “It’s extremely serious, but you need very specific conditions in place where a remote user would be able to set that environment variable. Thankfully, it’s not common.”

For context, Bash is present everywhere on Linux and UNIX systems, and this bug will invite comparisons to the Heartbleed OpenSSL vulnerability. The Bash bug was discovered by Stephane Chazelas, a Unix and Linux network and telecom administrator and IT manager at U.K. robotics company SeeByte Ltd.
 
Patches are starting to roll out from the major Linux distributions, Red Hat included, which acted immediately upon learning of Chazelas’ discovery once it was posted to the OSS security mailing list.
 
Full Article
 
 

14 replies

Userlevel 7
Badge +54

Could allow attackers to execute code on Linux, Unix, and Mac OS X.

by Sean Gallagher - Sept 24 2014
 
EXCERPT
 
"Because of its wide distribution, the vulnerability could be as wide-ranging and as potentially dangerous as the Heartbleed bug. The vulnerability affects versions 1.14 through 4.3 of GNU Bash. Patches have been issued by many of the major Linux distribution vendors for affected versions, including:
  • Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
  • CentOS (versions 5 through 7)
  • Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
  • Debian
A test on Mac OS X 10.9.4 ("Mavericks") by Ars showed that it also has a vulnerable version of Bash. Apple has already issued a software update to fix the issue.  has not yet patched Bash, though a 10.9.6 security update just issued fixed "developer command line tools.""
 
Full Article
Userlevel 7
Badge +54

Much carnage to come, warn experts

By Darren Pauli, 25 Sep 2014  Much of the impact of the Shell Shocked vulnerability is unknown and will surface in the coming months as researchers, admins and – naturally – attackers find new avenues of exploitation.
The vulnerability, coined Shell Shocked by researcher Robert Graham, existed in the Bash command interpreter up to version 4.3 and affected scores of servers, home computers and embedded devices.
 While Australian consultants and security firms were examining the impact of the flaw to advise their clients, the existence of the flaw came as no surprise for some.
"To be honest it came as a complete lack of surprise to me," Assurance.com.au director and veteran Unix-hand Neal Wise said. "The use of shells for CGI was discouraged since the mid 90s."
"There will be a period of discovery where we find that this thing or that thing that we rely on in our code is vulnerable.
 
Full Article
Userlevel 7
Badge +54
by Pierluigi Paganini on September 25th, 2014
 
 http://securityaffairs.co/wordpress/wp-content/uploads/2014/09/bash-bug.jpg 

Bash Bug is a critical flaw  remotely Exploitable which affects Linux, Unix and Apple Mac OS X and that is threatening the global Internet infrastructure.

A new critical vulnerability dubbed Bash Bug in Linux and Unix command-line shell, aka the GNU Bourne Again Shell, is threatening the IT world. The flaw, coded as CVE-2014-6271, is remotely exploitable and affects Linux and Unix command-line shell potentially exposing to risk of cyber attacks websites, servers, PCs, OS X Macs, various home routers, and many other devices. Stephane Chazelas publicly disclosed the technical details of the remote code execution vulnerability in Bash, which affects the majority of the Linux distributions and servers worldwide.Stephane explained that the vulnerability it has existed for several decades and it is related to the way bash handles specially-formatted environment variables, namely exported shell functions. Full Article
Userlevel 7
Badge +13
This is definitely scary,and should serve as a wakeup call to all my friends who think they are immune to malware because they do not run windows.Times are a changin.
Userlevel 7
Badge +54
@ wrote:
This is definitely scary,and should serve as a wakeup call to all my friends who think they are immune to malware because they do not run windows.Times are a changin.
I agree superssjdan. There are quite few know who because they don't run Windows think they are immune, this could well be bigger than Heartbleed.
Userlevel 7
Badge +54
Graham Cluley | September 25, 2014
 
EXCERPT
 

Are your computers vulnerable?

Fortunately, there’s an easy way to tell if your computers might be at risk.
Open a terminal window and enter the following command at the $ prompt:
 
env x='() { :;}; echo vulnerable' bash -c 'echo hello'1env x='() { :;}; echo vulnerable' bash -c 'echo hello'
 
If you are not vulnerable, then the following will be shown:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
hello
But if you are vulnerable, then you will see:
vulnerable
hello
 
Full Article
Userlevel 7
By  Stephen McBridePublished  September 25, 2014
 
 
A Red Hat security team has uncovered a flaw in UNIX-style command interpreter tool Bash, which, according to analysts, could prove as deadly as Heartbleed.
 
Bash is one of the most widely used tools in the Linux install base, and many applications run the shell in the background. According to Red Hat's security blog, Bash can be used to "provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc)".
 


 
 
 
itp.net / full article here/ http://www.itp.net/600057-red-hat-uncovers-unix-based-shell-bug-worse-than-heartbleed
Userlevel 7
NEW YORK (CNNMoney)
'Bash' bug could let hackers attack through a light bulb
By Jose Pagliery @Jose_Pagliery September 25, 2014: 10:54 AM ET

Say hello to the bash bug, a lesson in why Internet-connected devices are inherently unsafe.

Computer security researchers have discovered a flaw in the way many devices communicate over the Internet. At its most basic, it lets someone hack every device in your house, business or government building -- via something as simple as your "smart" light bulb.  read more >>
Userlevel 7
Badge +35
We are pleased to say that we have verified all Webroot servers were not susceptible to this vulnerability, but were properly patched to the current version of Bash anyway.
Userlevel 7
Badge +54
This is good news for Mac most users.
 
Apple says users of its OS X operating system are "safe by default" from the new security vulnerability, which has been described as bigger than Heartbleed.
 
by Luke Westaway Apple says that most Mac users are safe from a newly-discovered security flaw, that could -- in principle -- allow hackers to take over an operating system.
Known as the "Shellshock" or "Bash" bug , the latest vulnerability for the world's computers involves the execution of m
alicious code within a bash shell, which is a command-line shell used in many Linux and Unix operating systems, and by Apple's Mac OS X operating system. Apple however says that most people using its software have nothing to worry about."The vast majority of OS X users are not at risk to recently reported bash vulnerabilities," Apple reportedly told iMore.
 
Full Article
Userlevel 7
The following article is a update on Bash Vulnerability

(Bash Shellshock Bug Patched but 

Not Pummeled)

http://www.technewsworld.com/article_images/story_graphics_xlarge/xl-2014-bash-shellshock-1.jpgBy Jack M. Germain
09/25/14 3:21 PM PTResearchers on Thursday discovered proof-of-concept code that could take advantage of unpatched computer systems, and found evidence of attacks exploiting the BASH Shellshock bug in the wild.
Shellshock, which came to light on Wednesday, could become a major threat to Linux/Unix and Apple operating systems if published patches to BASH are not applied before an attacker cashes in. However, there's some concern that the current patches may not be complete.
The United States Computer Emergency Readiness Team, or US-CERT, on Thursday issued a warning about the vulnerability.
BASH, the GNU Project's Bourne-Again SHell, is named after computer scientist Stephen Bourne, who wrote the original Shell code.
"BASH is easier to exploit than Heartbleed in the sense that it doesn't require technical knowledge as deep. It is probably installed in more places and on more systems than OpenSSH. So in that sense, the available attack surface is larger," BASH maintainer Chet Ramey told TechNewsWorld.
 
TechNewsWorld/ full article here/ http://www.technewsworld.com/story/81102.html
 
 
Userlevel 7
The following article is a update on Bash Vulnerability

(Fortune 1000 overlords SHELLSHOCKED into Bash patch batch)

By John Leyden, 29 Sep 2014
 
The majority of Fortune 1000 and Global 2000 companies have already deployed, or are now deploying, Shellshock patches to fend off code attacks, according to cloud security firm CloudPassage.
The Shellshock vulnerability allows remote attackers to execute arbitrary code on servers using a variety of techniques, with the CVE-2014-6271 weakness in the Bourne-Again Shell (Bash) affecting most Unix and Linux-based systems.
 
The Register/ full article here/ http://www.theregister.co.uk/2014/09/29/shellshock_patching_bash_cloudpassage/
Userlevel 7
Badge +56
Looks like there are some new vulnerabilities that are being patched:
http://www.itnews.com.au/News/396256,further-flaws-render-shellshock-patch-ineffective.aspx
Userlevel 7
The following article is a update ojn Bash Vulnerabilites

(Bash bug flung against NAS boxes)

By John Leyden, 1 Oct 2014
 
Hackers are attempting to exploit the BASH remote code injection vulnerability against Network Attached Storage (NAS) systems.
Miscreants are actively exploiting the time-to-patch window in targeting embedded devices, security firm FireEye warns.
We have evidence that attackers are actively exploiting the time-to-patch window and targeting embedded devices, specifically those made by QNAP, in order to append their SSH key to the authorized_keys file and install an ELF backdoor.
The sheer number of devices which run an embedded Linux OS mean that the potential for wide scale compromise of network-connected personal and business data storage systems is very high. Many smart or connected devices utilise similar set-ups as NAS boxes and may be just as vulnerable.
FireEye reckons the ongoing attack represents one of the first in the wild Shellshock attack against Internet of Things devices
 
 
The Register/ Article/ http://www.theregister.co.uk/2014/10/01/sheelshock_nas_attack/

Reply