Are you Shellshocked?

In Technology by TomLeave a Comment

You have probably heard all about the news of the Shellshock bug going around the internet. The thing is how do you know if you’re affected. But before I go into that I should explain what Shellshock is and why it poses such a big threat, just in case you don’t know.

Simply put Shellshock, also know as the bash bug, is due to a weakness/vulnerability in Bourne Again Shell (Bash). Bash is used in millions of devices that are based on the Unix or Linux operating system. This affects Macs, Web Servers (potentially including your banks servers), Industrial Equipment and other internet devices.

The bug was first discovered on the 12th September 2014 by Stephane Chazelas, a Security Researcher at Akamai Technologies, upon investigating an earlier bug he had found in Bash a few months prior. What’s astonishing is that the bug has existed in Bash since 1993 and has gone unnoticed until now.

The realisation of the scale and impact of [it] and what I had in my hands was quite scary.
– Stephane Chazelas, Akamai Security Researcher

Upon finding the bug, Stephane reported it to co-founder and maintainer of the Bash source code, Chet Ramey. Afterwards it was secretly disclosed to a number of Linux distributors including Ubuntu, Red Hat and Debian.

The NSIT National Vulnerability Database rates CVE-2014-6271 and CVE-2014-7169, a rating 10 out of 10 for severity (10 being the most severe). This is due the bug being simple to expoit but has maximum effect, according to Security Expert, Robert Graham.

Red Hat on the 24th September 2014 released a patch for CVE-2014-6271 but soon later realised the patch was ineffective and later released CVE-2014-7169 on the 26th. Other patches have been released since then but have proven mostly ineffective.

This is potentially the easiest website defacement vector we’ve ever seen, not to mention a very easy way of distributing malware.
– Tony Hunt, Microsoft MVP

I’m at the Virus Bulletin 2014 Conference, taking bets on when we’ll see a worm exploiting the #Shellshock bash bug.
– Mikko Hypponen, F-Secure Security Expert via Twitter

To find out whether your system requires patches, see below

  1. Open a Terminal window.
  2. Type the command
    $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  3. If vulnerable you’ll get this
    vulnerable
    this is a test

    Otherwise you’ll get this

     bash: warning: x: ignoring function definition attempt
     bash: error importing function definition for `x'
     this is a test
  4. If you are vulnerable, please contact your operating system vendor for further info and if possible isolate the vulnerable systems from the internet.

Please note this information is made available ‘as-is’ from Red Hat and no warranties are implied.

At time of writing, Apple and Oracle are yet to release patches. It is also important to note Networking Equipment such as Switches and Routers can also be affected including those using Juniper JunOS and Cisco IOS. Windows machines can also be affected if Cygwin is installed.

Leave a Comment