 |
Bash (GNU Bourne-Again SHell) is a common command line interface (shell) for newer styles of UNIX-like operating systems. It’s favored by Linux distributions and OS X because it is a little more user friendly than other shells. It has also had a 22 year old bug that allows an attacker possibly remotely execute arbitrary commands on the victim’s machine, typically as root.Read the full CVE-2014-6271 CERT report. |
What does this mean for us OS X users? Well, not much, unless you run DHCP or Internet Connection Sharing (which uses DHCP) which could allow remote command execution.
What does this mean for your Linux box? If you have any idiotic applications that allow remote input, such as a form or setup script that passes unchecked variables to Bash, you’re in big trouble.
Implications are all over the place: Huge DDoS botnets powered by massively connected machines. People’s data being compromised everywhere. Scanners executing a simple command such as rm -rf / which will simply nuke the entire server’s disk… It’s going to be messy for people that have followed poor development and security practices with their web applications, stats, log analysis software, or any application that passes external input to bash.
This doesn’t impact BSD (by default), which for the most part has shunned Bash since it’s beginning favoring a different shell called cshell (csh). It also probably not heavily impact services like Facebook and Google, because they shouldn’t be allowing shell calls from web applications and their user access should be limited to trusted applications and users anyway.
WAFs (Web Application Firewalls) are a huge help in this situation. Rather than wait for all of your services to be patched you can deploy a rule or have your WAF service deploy a rule that can block this attack vector. I consider this a huge advantage when combatting new exploits.
Anyway, it’s time to get patching and expect the Internet to be a little messy for the next few months.
