Jim Reavis, Cloud Security Alliance
Today at 10am EST a vulnerability in the command shell Bash was announced (http://seclists.org/oss-sec/
A large number of programs on Linux and other UNIX systems use Bash to setup environmental variables which are then used while executing other programs. Examples of this include Web servers running CGI scripts and even email clients and web clients that pass files to external programs for display such as a video file or a sound file.
In short this vulnerability allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird mime types for example.
To test if your system is vulnerable just try this on bash:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you’re vulnerable it’ll print:
vulnerable this is a test
If you’ve updated Bash you’ll only see
this is a test
There is more information available at the following links:
https://securityblog.redhat.
https://access.redhat.com/
And patches for Bash (most versions in the last 15 or so years) are available:
http://ftp.gnu.org/pub/gnu/
http://ftp.gnu.org/pub/gnu/
http://ftp.gnu.org/pub/gnu/
http://ftp.gnu.org/pub/gnu/
http://ftp.gnu.org/pub/gnu/
http://ftp.gnu.org/pub/gnu/
http://ftp.gnu.org/pub/gnu/