A critical security flaw known as ‘Shell Shock’ has recently been found in Bash that is worrying a lot of people, and rightly so. The US National Vulnerability Database rate this new flaw as a Level 10, and CERT Australia has noted plenty of online chatter around exploiting the bug.
What is Bash?
Bash (Bourne Again Shell) is a pervasive command line utility used in many Unix-based operating systems including Linux and OS X.
Bash is not a new command line tool – it was first released in 1989 and is now distributed open source software under the GNU project. Its design can be directly traced back to the origins of Unix in the late 1960s.
What is Shell Shock?
Shell Shock was first discovered by Edinburgh-based programmer Stephane Chazelas weeks ago. The bug, present in all versions of Bash dating back at least to 1994, relates to the handling of configuration information.
A maliciously formatted configuration string can cause Bash to do literally anything the user has permission to do. As it can be easily exploited remotely and can give an attacker full control over a system, this vulnerability is known as a Remote Root exploit – the worst kind.
Who is affected?
Anyone running Bash is at risk. This includes Linux, Unix and Mac OS users (including Mac desktop and lap top users).
Most Mac desktop systems do not have many network-accessible server programs running on them by default, which limits the ways the bug could be exploited. However, email attachments represent one possibility the bug can be leveraged, as do malicious Wi-Fi hot spots. Mac laptop users connecting to untrusted hot spots risk an attacker exploiting the flaw and securing full access to their computer.
Windows-based desktops and laptops do not include Bash by default, so only those that have deliberately installed Bash need be concerned.
How to mitigate the risk?
Most operating system vendors have already released updates that completely or at least partially mitigate the risk of being exploited. CERT Australia recommend that all system administrators and consumers ensure their software updates are applied as soon as they become available.
References
CERT Australia has issued an Advisory about the vulnerability.
The US National Vulnerability Database rates this as severity 10.
To better understand your security risks, contact the blueAPACHE Account Management Team.