It’s been a busy couple of days at ServInt, but I’m glad to say that our customers are protected against the recently found Shellshock bug.
Shellshock is a newly found vulnerability in Bash, the most common application allowing users to execute commands on Linux machines. It’s the environment within which commands are executed – the “shell”. There are a variety of shells available in the *NIX world, but Bash is by far the most common in Linux.
The Shellshock bug allows malicious users to convince Bash to execute commands before the shell is fully initialized — that is, before the it finishes all the initialization and checks that prevent users from doing things they shouldn’t do. Hackers who exploit Shellshock would still be bound by most of the kernel’s security barriers, but the bug could let the attacker out of any application-specific security containment, and allow the execution of unintended commands, and the reading and writing of files that the shell user had access to. In a web environment, this type of problem can quickly get nasty.
Is Shellshock as bad as Heartbleed? Yes and no. On the one hand, it’s not a root level exploit. The system files of your server would not be directly compromised by this bug, but a user’s data could be, and on a typical system, the user’s account is where most of the interesting data is. On top of that, the fact that Bash exists on (and executes commands on behalf of) nearly every computer running a version of Linux makes the exposure immensely wide.
Luckily, since Shellshock is a bug in an application (and one with limited dependencies, at that) and not the kernel, the fix was straightforward. However, as with many critical, time-sensitive bugs, the fix can end up being a multi-stage process. In this case, the first vendor-supplied fixes were insufficient to cover all possible exploit scenarios, so even as we were performing the first round of patching, we knew that less than 24 hours later we would be doing it all over again. Nonetheless, by 10:30 AM Eastern time this morning, we had the second round of patching complete.
So, if you are a ServInt customer, feel free to file Shellshock under “No Need for Further Concern.”
Photo by Yuri Samoilov