Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Bash Vulnerability Leaves Systems Open to Attack

A vulnerability (CVE-2014-6271) has been discovered in the GNU Bourne Again Shell (bash) that can be exploited to execute code.

A vulnerability (CVE-2014-6271) has been discovered in the GNU Bourne Again Shell (bash) that can be exploited to execute code.

The flaw was discovered by Stephane Chazelas, and is related to how bash evaluates specially-crafted environment variables.

A large number of programs on Linux and other UNIX systems use bash to set up environment variables that are then used while executing other programs, explained Jim Reavis, CEO of the Cloud Security Alliance (CSA).

“Examples of this include Web servers running CGI scripts and even email clients and web clients that pass files to external programs for display such as a video file or a sound file,” he blogged. “In short this vulnerability allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird mime types for example.”

Patches are being rolled out from the major Linux distributors, including from Red Hat (Red Hat Enterprise Linux versions 4 through 7 and Fedora); CentOS versions 5 through 7; Debian and Ubuntu 10.04 LTS, 12.04 LTS and 14.04 LTS.

In Linux, environment variables provide a way to influence the behavior of software on the system, blogged Huzaifa Sidhpurwala, security engineer at Red Hat.

Advertisement. Scroll to continue reading.

“The same is true of the bash shell. It is common for a lot of programs to run bash shell in the background,” Sidhpurwala noted. “It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc). Coming back to the topic, the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents.”

The patch used to fix this flaw ensures no code is allowed after the end of a bash function, Sidhpurwala blogged.

Bash is a popular shell, and is available on other flavors of UNIX besides Linux, noted Garve Hays, solutions architect at NetIQ. The vulnerability, he added, could also have a “long tail” effect in that not all servers will get updated and will remain exposed.

Attackers can use this vulnerability to attack a variety of devices and web servers and take over the operating system, make changes or perform other actions, said Tod Beardsley, engineering manager at Rapid7.

“It’s rated a 10 for severity, meaning it has maximum impact, and “low” for complexity of exploitation – meaning it’s pretty easy for attackers to use it,” Beardsley said in a statement.

“The affected software, bash, is widely used so attackers can use this vulnerability to remotely execute a huge variety of devices and web servers,” he continued. 

“Anybody with systems using bash needs to deploy the patch immediately,” Beardsley said.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.