Hackers have already launched attacks aimed at exploiting the Shellshock Bash bug, according to Security researchers at AusCERT and MalwareMustDie. That means administrators should patch vulnerable systems as soon as possible.
Shellshock is the name given to a vulnerability that exists in GNU Bash (Bourne-Again Shell) versions 1.14 through 4.3. Unix and Linux systems — as well as the Mac OS X (which also uses bash) — are at risk from the bug in Bash, a commonly used command interpreter, according to U.S. CERT (Computer Emergency Readiness Team). The U.S. National Vulnerability Database rated Shellshock 10/10 for severity with a complexity rating of “low,” meaning it is very easy to exploit.
The Bash bug has the potential to be bigger than the Heartbleed vulnerability, which has gone down in security history as one of the worst bugs ever. Heartbleed only affected a specific version of OpenSSL. But the Bash bug has been around for a long time, which means lots of old devices on the network are vulnerable. And that means the number of systems that need to be patched — and probably won’t be patched — is a lot larger than the fallout from Heartbleed.
First Patch Didn’t Patch
“US-CERT is aware of a Bash vulnerability affecting Unix-based operating systems such as Linux and Mac OS X. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system,” the agency said, adding that a patch was initially issued but didn’t fully address the problem. “MITRE later assigned a patch to cover the remaining problems after the application of the first patch.”
The agency recommended that users and administrators review TA14-268A, Vulnerability Note VU#252743 and the Red Hat Security Blog for additional details as well as refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch. “A GNU Bash patch is also available for experienced users and administrators to implement,” the agency said.
Failure of Open-Source Community?
Chris Stoneff, director of Professional Services at Lieberman Software, told us the blame for the lack of insight into the Bash vulnerability rests squarely on the shoulders of the open-source community.
“I see this as a failure in the mindset of the open source community where everyone waits for everyone else to do something or find something,” Stoneff told us. “One of the interesting things happening with so much bashing of closed source projects like Microsoft and the embrace of more open software like Linux and OSX is how much visibility Linux and OS X have gained in recent years to would-be attackers.” (continued…)
This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.
