Worse than Heartbleed?
September 24, 2014 | Leave a Comment
Jim Reavis, Cloud Security Alliance
Today at 10am EST a vulnerability in the command shell Bash was announced (http://seclists.org/oss-sec/
A large number of programs on Linux and other UNIX systems use Bash to setup environmental variables which are then used while executing other programs. Examples of this include Web servers running CGI scripts and even email clients and web clients that pass files to external programs for display such as a video file or a sound file.
In short this vulnerability allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird mime types for example.
To test if your system is vulnerable just try this on bash:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you’re vulnerable it’ll print:
vulnerable this is a test
If you’ve updated Bash you’ll only see
this is a test
There is more information available at the following links:
https://securityblog.redhat.
https://access.redhat.com/
And patches for Bash (most versions in the last 15 or so years) are available:
http://ftp.gnu.org/pub/gnu/
http://ftp.gnu.org/pub/gnu/
http://ftp.gnu.org/pub/gnu/
http://ftp.gnu.org/pub/gnu/
http://ftp.gnu.org/pub/gnu/
http://ftp.gnu.org/pub/gnu/
http://ftp.gnu.org/pub/gnu/
Share this content on your favorite social network today!
Comments:
Mission Statement
To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.
Sign Up for the Mailing List
Join the CSA Announcements Mailing List to receive updates on CSA activities and research.
Get Involved
Learn how you can participate in Cloud Security Alliance's goals to promote the use of best practices for providing security assurance within Cloud Computing.