New Vulnerability in Bash Named ShellShock - More Severe than HeartBleed

It is a tough week to work in network security.

A new critical vulnerability in a widely used OS component has a perfect score for threat level. It is widely used (pretty much all non-Windows systems), it is easy to find, and it allows full control of a target with no authentication.

This gives ShellShock a perfect score across the board for the NIST's Threat Vulnerability Database. A worst-case scenario.

The attack is so simple that it could be automated into a Worm that will scour the internet, infect systems, and turn those systems into zombies looking for additional victims. A botnet of vulnerable servers is already being built according to Robert Graham of Errata Security.

The problem lies at the heart of the bash command. It executes arbitrary code that is placed after code that defines boundaries for a software environment. To put the example in plain english, bash expects environment variables to be defined in a normal command. Such as:

"Go play in the park."

The problem is that bash accepts extra trailing commands into this environment command.

"Go play in the park. Oh and give me all of your keys, and download and execute all of this code from my malware server."

To fix the vulnerability, make sure you update bash to current on all systems as soon as possible. This one is going to be bad!

More information:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/

< last
next >