Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Bash Vulnerability Leaves Systems Open to Attack

A vulnerability (CVE-2014-6271) has been discovered in the GNU Bourne Again Shell (bash) that can be exploited to execute code.

A vulnerability (CVE-2014-6271) has been discovered in the GNU Bourne Again Shell (bash) that can be exploited to execute code.

The flaw was discovered by Stephane Chazelas, and is related to how bash evaluates specially-crafted environment variables.

A large number of programs on Linux and other UNIX systems use bash to set up environment variables that are then used while executing other programs, explained Jim Reavis, CEO of the Cloud Security Alliance (CSA).

“Examples of this include Web servers running CGI scripts and even email clients and web clients that pass files to external programs for display such as a video file or a sound file,” he blogged. “In short this vulnerability allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird mime types for example.”

Patches are being rolled out from the major Linux distributors, including from Red Hat (Red Hat Enterprise Linux versions 4 through 7 and Fedora); CentOS versions 5 through 7; Debian and Ubuntu 10.04 LTS, 12.04 LTS and 14.04 LTS.

In Linux, environment variables provide a way to influence the behavior of software on the system, blogged Huzaifa Sidhpurwala, security engineer at Red Hat.

Advertisement. Scroll to continue reading.

“The same is true of the bash shell. It is common for a lot of programs to run bash shell in the background,” Sidhpurwala noted. “It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc). Coming back to the topic, the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents.”

The patch used to fix this flaw ensures no code is allowed after the end of a bash function, Sidhpurwala blogged.

Bash is a popular shell, and is available on other flavors of UNIX besides Linux, noted Garve Hays, solutions architect at NetIQ. The vulnerability, he added, could also have a “long tail” effect in that not all servers will get updated and will remain exposed.

Attackers can use this vulnerability to attack a variety of devices and web servers and take over the operating system, make changes or perform other actions, said Tod Beardsley, engineering manager at Rapid7.

“It’s rated a 10 for severity, meaning it has maximum impact, and “low” for complexity of exploitation – meaning it’s pretty easy for attackers to use it,” Beardsley said in a statement.

“The affected software, bash, is widely used so attackers can use this vulnerability to remotely execute a huge variety of devices and web servers,” he continued. 

“Anybody with systems using bash needs to deploy the patch immediately,” Beardsley said.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider Horizon3.ai.

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights