Bash Bug could be bigger threat than Heartbleed

“Bash bug, Could be a Nightmare for Linux users”

“Bash Bug” a newly discovered bug present in the Bash or the Bourne again shell ,is  the command-line shell used in most of the Linux and Unix operating systems could be a bigger threat than Heartbleed, Red Hat security team warned.

Bash or the Bourne again shell is a Unix like shell which is widely used to control the command prompt on many Linux computers.

The vulnerability arises from the ability to operate/create a environment variables with specially-crafted values before calling the bash shell.  If bash is configured to as the default system shell, the vulnerability can be triggered by a network–based attackers who can use it to Execute codes/commands to attack servers and devices operating on Linux and Unix OS. leaving behind a backdoor for future attacks in the worst cases.

What “Bash bug Could do ?

A crafted web request targeting a vulnerable CGI application could launch code/command on the server. Similar attacks are possible via OpenSSH, which could allow even restricted secure shell sessions to bypass controls and execute code on the server. DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine. while these are only few of the examples this bug is capable of doing much more.

Why could be Bash Bug a Bigger Threat then Heartbleed ?

“Heartbleed”, the bug which resided in the production versions of OpenSSL allowed attackers to extract user ids/data travelling between the servers and the end users. while the bash bug could lead an attacker to have full control over the system.

The “Bash Bug” has been present in enterprise Linux software from years and affects versions 1.14 through 4.3 of GNU Bash. Red Hat and Fedora have already issued a patch for the bug.

Mac OS X is also effected by the bug, a patch is yet to be released by Apple, though it has just issued an update to “command line tools.”

To check if your Linux or Unix system is Vulnerable:

Type following in a command line

  • env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
  • env X=”() { :;} ; echo shellshock” /bin/sh -c “echo completed”
  • env X=”() { :;} ; echo shellshock” `which bash` -c “echo completed”

In case your system is vulnerable it will show output as:

vulnerable

this is a test

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here