Thursday, September 25, 2014

Major Vulnerability Affecting Linux, UNIX and Mac OS X

According to Ian Pratt, co-founder at Bromium:
"The "shellshock" bash vulnerability is a big deal. It's going to impact large numbers of internet-facing linux/unix/OS X systems as bash has been around for many years and is frequently used as the 'glue' to connect software components used in building applications. Vulnerable network-facing applications can easily be remotely exploited to allow an attacker to gain access to the system, executing with the same privilege the application has. From there, an attacker would attempt to find a privilege escalation vulnerability to enable them to achieve total compromise.

"Bash is part of the infrastructure, something so pervasive that many sysadmins wouldn't necessarily even know that the security of their applications depend on it.  Any applications known to be using CGI scripts that call system or popen are at particularly risk -- many php, perl and python scripts will fall into this category. Some python modules call os.system without the application doing so explicitly.  Simply disabling bash is typically not an option, though it may help to change applications' default shell to some other bourne shell compatible shell such as 'sh' or 'dash' (though beware -- 'sh' is actually the same binary as bash on some systems). However, if an application invokes bash explicitly it will still be vulnerable.

"Even client systems that don't explicitly run network facing services may be vulnerable too, by way of software such as the DHCP client that may pass data received from a DHCP server through bash. This means that malicious WiFi hotspots could potentially compromise vulnerable systems.

"All Linux/Unix/OS X sysadmins should be scrambling to update bash on all their systems, prioritizing those exposed to untrusted networks.

"Bash is a very complex and feature-rich piece of software that is intended for interactive use by power users.  It does way more than is typically required for the additional role for which it is often employed in gluing components together in applications. Thus it presents an unnecessarily broad attack surface -- this likely won't be the last vulnerability found in bash. Application developers should try to avoid invoking shells unless absolutely necessary, or used minimalist shells where required."