Sunday, 28 September 2014

Shellshock Vulnerability CVE-2014-6271

The Bash Shell have a new exploit named shellshock.

From Thursday 25 september 2014, Bash have a bug that realy make everybody paranoid. The exploit is CVE-2014-6271 which enable the attacker to run any code even without authenticating to the server, especially with DHCP services.

Stephane Chazelas discoverd this vulnerability in bash, related with the how the environment variables are processed by bash and this affect many of the linux / unix system which by default utilize bash shell. This affect Bash released 20years ago back to version 1.3

Lucky for me, i am in the BSD bandwagon, which by default not using Bash, but using tcsh or csh, which licensed under BSD license term. The reason Bash not a default install in BSD system because Bash is use GPL Licensing term.
But i don't know if this will change if Bash using BSD license, but i think because Bash was develop with no security in mind. Yeay Go BSD :)

But some servers use bash need to update. First you can test it with the command.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

if the output print out vulnerable, then you need to upgrade your bash version to the latest. Redhat, Debian, Ubuntu, and all major Linux Distro already release a fix for this, but only days, the fix show that it only prevent no all the bug, like Redhat said in the website.

But still better patch first, as a first step for prevent the vulnerability. Also there are many test utility for this shellshock in the web. One that i found was Shellshock HTTP Test and Shellshock Vulnerability Test

Now for the update , in debian system you just run this command :

$sudo apt-get update && sudo apt-get install --only-upgrade bash

In Centos / Redhat system :

$sudo yum update bash

or download the rpm file with this command (in Centos 5.10) :

$ wget ftp://fr2.rpmfind.net/linux/centos/5.10/updates/i386/RPMS/bash-3.2-33.el5-10.4.i386.rpm

$sudo yum --nogpgcheck update bash-3.2-33.el5-10.4.i386.rpm

This Shellshock worse than last openssl vulnerability, because many old system affected like the cgi web server processing services. But in modern web application i had test, which running python, not affected by the shellshocks because not using Bash shell.

0 comments:

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More