Shellshock vulnerability roils Linux server shops

The GNU Bash shell can provide an entry point for launching more severe attacks, researchers find

Shellshock vulnerability test for Bash

Shellshock vulnerability test for Bash

A long-standing vulnerability unearthed in the GNU Bash software, nicknamed Shellshock, has disrupted the daily activities of the Linux system administrator community, as Linux distributors, cloud vendors and end users grapple to understand the full scope of the potential damage it could cause.

"It's a very subtle and complicated vulnerability," said Owen Garrett, head of products for Nginx, a provider of server software.

The vulnerability "is trivially easy to exploit if you know what you are doing, so it really is a potentially serious problem," Garret said. "The upside is that the remedy is quick and easy."

The vulnerability is a flaw in the open-source GNU Bash shell found in nearly all Linux distributions, as well as in the Apple OS X operating system.

Thursday, researchers found a second, related vulnerability in the shell.

A shell is an interface for users to interact with computers, by way of either a graphical environment interface or -- in Bash's case -- a text-based command line interface. The vulnerability allows a malicious user to issue commands to the operating system.

In one sense, the vulnerability is not a serious one, noted Wolfgang Kandek, chief technology officer of IT security firm Qualys. A user with access to Bash already can access all the commands that the operating system offers to routine users. But it can be dangerous insofar as Bash is also used by other programs to complete their own tasks, and thus may offer a backdoor into some systems.

For instance, it could be used with the CGI (Common Gateway Interface), Kandek noted. CGI is a legacy, but still widely used, technology used in the early days of the commercial Internet to provide user interactivity to websites. CGI uses Bash to manipulate the server's OS.

A malicious user could inject commands into a CGI request that would get processed by the server, Kandek said. An attacker, for instance, could use Shellshock to take advantage of some other vulnerability that could not otherwise be executed from over the network, perhaps a vulnerability that would allow the attacker to then gain control of the machine.

Administrators are encouraged to patch their systems as quickly as possible. This is the easy part. In most Linux distributions, updating the system software can usually be done through a single command, Kandek said.

Fortunately, all the major Linux vendors quickly issued patches, including Debian, Ubuntu, Suse and Red Hat.

Red Hat also posted a one-line command that could easily test if a machine is vulnerable to the attack.

And not a second too soon, given that software programs that exploit the vulnerability quickly surfaced after the news of the vulnerability broke.

Running a honeypot server, IT management firm AlienVault has also found that multiple parties are already scanning the Internet to find machines with the vulnerability.

A honeypot is a machine placed on the Internet with the intent to characterize how much and what kind of malicious activity is taking place online, usually by using unpatched software that attackers can use to gain access.

Cloud infrastructure services providers that offer stock Linux distributions as virtual images, which are used based on the latest stock release of a distribution, could have unpatched versions of Bash. Some may have already mitigated the issue: Amazon Web Services, which maintains its own version of Linux, automatically updates any Linux virtual machines with the latest patches before they are deployed.

As a general best practice, however, anyone deploying a virtual machine for the first time should immediately update the software, Kandek said.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags gnuNGINXsecuritypatch managementExploits / vulnerabilitiesqualys

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joab Jackson

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?