2014-09-26 / Dan Staples
A new and serious vulnerability in the Linux Bourne-again shell (Bash) has been making the rounds in the media lately, termed either Shell Shock or the Bash Bug. The vulnerability is potentially even more significant than the Heartbleed vulnerability earlier this year, and likely affects a huge number of servers on the internet.
The vulnerability itself stems from the way the Bash shell interprets environment variables. If an attacker is able to set an environment variable in a bash-interpreted script, such as many CGI scripts commonly found on web servers, they can cause the Bash shell to execute arbitrary commands, potentially giving the attacker control over the server. The most common attack vectors for this vulnerability come from an attacker setting their user agent or HTTP header strings, which are put into environment variables when CGI scripts are run on the server they connect to. Even DHCP clients are vulnerable. For more detailed information on Shell Shock, check out this detailed analysis on troyhunt.com.
Many of you might be wondering if the Commotion router firmware is vulnerable to the Bash bug. Fortunately, the answer is no. The interactive shell that runs on Commotion-router, which is the default shell in the OpenWRT project Commotion-router is based on, is not Bash but rather the Almquist shell (ash) that is packaged with the BusyBox software. Although there is no guarantee that other Linux shells are not also vulnerable to the same bug, we have confirmed that the ash shell that comes with OpenWRT is in fact not vulnerable.
Still, if you administer a computer or server that runs Bash, you’ll want to get the latest security updates from your distribution right away:
OSX (must recompile bash):
Thanks to Ben West for providing the above links.