Shellshock vulnerability roils Linux server shops

The GNU Bash shell can provide an entry point for launching more severe attacks, researchers find

Shellshock vulnerability test for Bash

Shellshock vulnerability test for Bash

A long-standing vulnerability unearthed in the GNU Bash software, nicknamed Shellshock, has disrupted the daily activities of the Linux system administrator community, as Linux distributors, cloud vendors and end users grapple to understand the full scope of the potential damage it could cause.

"It's a very subtle and complicated vulnerability," said Owen Garrett, head of products for Nginx, a provider of server software.

The vulnerability "is trivially easy to exploit if you know what you are doing, so it really is a potentially serious problem," Garret said. "The upside is that the remedy is quick and easy."

The vulnerability is a flaw in the open-source GNU Bash shell found in nearly all Linux distributions, as well as in the Apple OS X operating system.

Thursday, researchers found a second, related vulnerability in the shell.

A shell is an interface for users to interact with computers, by way of either a graphical environment interface or -- in Bash's case -- a text-based command line interface. The vulnerability allows a malicious user to issue commands to the operating system.

In one sense, the vulnerability is not a serious one, noted Wolfgang Kandek, chief technology officer of IT security firm Qualys. A user with access to Bash already can access all the commands that the operating system offers to routine users. But it can be dangerous insofar as Bash is also used by other programs to complete their own tasks, and thus may offer a backdoor into some systems.

For instance, it could be used with the CGI (Common Gateway Interface), Kandek noted. CGI is a legacy, but still widely used, technology used in the early days of the commercial Internet to provide user interactivity to websites. CGI uses Bash to manipulate the server's OS.

A malicious user could inject commands into a CGI request that would get processed by the server, Kandek said. An attacker, for instance, could use Shellshock to take advantage of some other vulnerability that could not otherwise be executed from over the network, perhaps a vulnerability that would allow the attacker to then gain control of the machine.

Administrators are encouraged to patch their systems as quickly as possible. This is the easy part. In most Linux distributions, updating the system software can usually be done through a single command, Kandek said.

Fortunately, all the major Linux vendors quickly issued patches, including Debian, Ubuntu, Suse and Red Hat.

Red Hat also posted a one-line command that could easily test if a machine is vulnerable to the attack.

And not a second too soon, given that software programs that exploit the vulnerability quickly surfaced after the news of the vulnerability broke.

Running a honeypot server, IT management firm AlienVault has also found that multiple parties are already scanning the Internet to find machines with the vulnerability.

A honeypot is a machine placed on the Internet with the intent to characterize how much and what kind of malicious activity is taking place online, usually by using unpatched software that attackers can use to gain access.

Cloud infrastructure services providers that offer stock Linux distributions as virtual images, which are used based on the latest stock release of a distribution, could have unpatched versions of Bash. Some may have already mitigated the issue: Amazon Web Services, which maintains its own version of Linux, automatically updates any Linux virtual machines with the latest patches before they are deployed.

As a general best practice, however, anyone deploying a virtual machine for the first time should immediately update the software, Kandek said.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags patch managementqualysgnuExploits / vulnerabilitiesNGINX

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joab Jackson

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?