Monthly Archive September 2014

Shellshock

Just hitting in the last couple of days is the latest major vulnerability in a commonly used component of many systems – some are even now saying the impact will be bigger than HeartBleed.

The vulnerability comes from the ability of the bash shell in Unix to export shell variables and functions to other bash instances (parent to child).

The major concern comes from CGI scripts on web sites which run on the bash shell but this is not limited to scripts that call the bash shell directly.  Functions within other scripting languages which utilise the shell may also leave an application vulnerable.

Reviewing the current information out there and stuff coming up on Twitter etc there are indications that attackers are trying exploits (https://gist.github.com/anonymous/929d622f3b36b00c0be1) so it is out in the wild already.

Initial patches are out for affected systems, although there is early discussion that these may not completely close all  holes.  SRM strongly recommends that administrators identify whether they are vulnerable or not and patch appropriately.  In addition, a watch should be kept on patch updates since there may be follow-up patches.

Description of the vulnerability: CVE-2014-6271: remote code execution through bash
More information on the vulnerability: http://lcamtuf.blogspot.be/2014/09/quick-notes-about-bash-bug-its-impact.html?m=1

Qualified PCI DSS QSA, PA-QSA & PFI, as well as SRM's Lead Penetration Tester, Andy L is a regular contributor to the SRM blog.