New “unix Bash security hole”, deadlier than “Heartbleed”


images2A big unix bash hole (“Shellshock”) uncovered on 24thSep 2014, which can be used to take control of your unix based system.

Bash is the very powerful software to control unix based systems via command line. And if this powerful weapon reaches to an unwanted person, everything can be sacrificed.

The Department of Homeland Security’s United States Computer Emergency Readiness Team, or US-CERT, issued an alert saying the vulnerability affected Unix-based operating systems including Linux and Apple Inc’s Mac OS X.

Is your system vulnerable ?

As per an excellent write-up by RedHat, to check if your system is vulnerable, type below commands in bash.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see an output like

vulnerable
this is a test

You need a patch to fix it.

It is relatively easy to use this hole.

Tod Beardsley, an engineering manager at cybersecurity firm Rapid7, warned the bug was rated a “10” for severity, meaning it has maximum impact, and rated “low” for complexity of exploitation, meaning it is relatively easy for hackers to launch attacks.

Fix it!

US-CERT advised computer users to obtain operating systems updates from software makers. It said that Linux providers including Red Hat Inc (RHT.N) had already prepared them, but it did not mention an update for OS X. Apple representatives could not be reached.

To update it a similar type of command can be run

yum update bash

After a patch, if you run above command, you will find a output similar to

env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

For MAC users:
http://security.stackexchange.com/questions/68202/how-to-patch-bash-on-osx-in-wake-of-shellshock
Unlike Heartbleed, Shellshock doesn’t appear to have any easy solutions for average users right now. In most cases, it will be up to system administrators and software companies to issue patches.

Know more:

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

http://www.reuters.com/article/2014/09/24/us-cybersecurity-bash-idUSKCN0HJ2FQ20140924