It seems like every other day there is a new vulnerability. That seems to be the case with the internet and usually it isn’t much of a big deal. Shellshock is a step above most of the vulnerabilities that have been coming out lately and has been categorized as one of the worst right up there with Heartbleed. As with most scary vulnerabilities it has a cool name.
a GNU Bash vulnerability, referred to as Shellshock or the “Bash Bug”, was disclosed on September 24th. This vulnerability allows remote attackers to execute arbitrary code by passing strings of code following environment variable assignments. Bash is running on most Unix style systems which includes but is not limited too:
- Most servers that are powering the internet
- Any Linux powered work station
- Networking equipment along the lines of routers
- Chromebooks
- Apple Computers (Macbook, Mac Mini, Mac Pro)
- Some Android devices
This basically includes any unpatched Bash versions between 1.14 through 4.3 are at risk. This is anything running Bash from before right now. Some services affected by this exploit are Apache HTTP servers, Some DHCP clients, OpenSSH, and some other network services. You can read more at CVE-2014-7169 and CVE-2014-6271. There is currently an incomplete fix which is a quick update, there will be a more solid fix in the near future but for now the incomplete fix will at least protect you from any initial attacks.
Am I Vulnerable?
You can check if you are vulnerable by running a quick command in your Bash Shell:
env VAR='() { :;}; echo I can be exploited!' bash -c "echo Bash Test" |
You will notice that where I am echoing “I can be exploted” is where an attacher could slip in some code to execute on the server. If you get the output “I can be exploited!” and “Bash Test” you are vulnerable and need to update Bash.
I can be exploited!
Bash Test |
The other possible output is an error:
bash: warning: VAR: ignoring function definition attempt bash: error importing function definition for `VAR' Bash Test |
This means that the payload was not delivered and your Bash is secure.
Lets get Secure!
Like I said earlier, there is only a temporary partial fix which means that it will look for this specific attack and try to mitigate against it but the fix is not 100% yet. There will be more updates in the future and this is just another example as to why you need to keep your servers, apps, and services up to date at all times.
If you are running an Ubuntu/Debian machine, you can update your bash by running:
sudo apt-get update sudo apt-get install --only-upgrade bash |
If you are running Cent OS / Fedora / Red Hat (Yum package manager):
sudo yum update bash |
After doing these updates you can run the commands from above and the output should alert you that the payload was not received and the definition for VAR was ignored. If you are using an Apple computer you will be receiving an update soon, there are ways to manually update Bash but it is likely Apple will have a fix shortly. This quote came directly from Apple.
“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities… With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”
If you are scared and an advanced user though, there are some nice instructions on Stack Exchange.
Is Bold Affected?
Everybody is affected by this bug but at Bold we have taken the proper actions to make sure our services are secure so whether you are using our Shopify Apps or Picticipate, you can sleep easy knowing we are constantly updating and managing security on our servers. All of our servers have been updated and we continue to take security threats very seriously.
Just as we did with Heartbleed we want to make sure our customers future and present know that we strive to offer high quality and secure web services. Don’t be afraid to comment with any questions about the vulnerability.
The post Protect your Server Against the Shellshock Bash Vulnerability appeared first on Bold Apps Tech Blog.
