A vulnerability in Bourne again shell also known as Bash has been found that can effect the majority of Linux, UNIX and OS X users. The bug is know as Bash or Shellshock bug.
Exploiting the security weakness in the Bash allows hacker to attach an executable to a variable which is executed when Bash is invoked. It enables the hacker to take control of the operating system that is running the infected Bash code and access victim’s confidential information or even various devices and web servers .
The fact that user’s operating system is danger of being taken control by hackers makes Bash bug as dangerous as Heartbleed bug that shocked internet users earlier this year by using by exploiting vulnerability in OpenSSL. An engineering manager at Rapid7, Tod Beardsley, said that in the scale from 1 to 10 the Shellshock was rated a “10” in the severity section. This rating shows that the possible impact of the Bash bug may have devastating consequences.
What is even more troublesome when looking into this bug is that the accessibility to the exploit is relatively easy and it was present for as long as the Bash code existed. Furthermore, most of the software developed for the effected platforms interact with the shell to invoke another libraries in some way, making implementation of the exploit easy to perform without being noticed by the user as even now there are plenty programs that call bash without user knowing about it at all. It makes it similar to the Heartbleed bug that enabled attacker’s to exploit the SSL vulnerability without site operator knowing. Moreover, the exploit can be used to hack Apache servers by using mod_cgi or mod_cgid if either of the scripts is written in Bash. According to Red Hat’s Bressers the Shellshock can be used to bypass Forecommand in sshd configs.
Tod Beardsley said that the bug is rated ‘low’ for complexity of exploitation. Beardsley also warned that due to the wide range of devices affected, system administrators have to deploy the patches to reduce the threat of the Bash bug immediately. Even though Red Hat and Fedora have already released the patches, Apple is yet to release a patch for OS X. Nevertheless, Mac users may find details on how to check if their system is vulnerable to the exploit in the Stack Exchange post. There is also a similar post for Linux users. These websites also include links to Bash patches or workaround steps. However, they are not official and seem to not provide full security yet.
Security expert Robert Graham warns everybody in his blog that he right now has one serious question regarding the bug – whether or not Mac OS X and iPhone DHCP service is vulnerable. Security expert said that if Shellshock manages to bypass the firewall and runs hostile DHCP server it will be a “game over” for large networks.
When Heartbleed bug was first found out various VPN providers have taken measures to secure their users from OpenSSL exploits. However, it is still too early to know what steps will be taken by them against the Bash bug. Moreover, the nature of the exploit may mean that VPN providers will only be able to update their clients for the platforms that are in danger from Shellshock. Therefore, users themselves should take steps mentioned in the article to secure their data.