Shellshock – Bash Vulnerability

Shellshock is a serious security vulnerability in Bourne-Again SHell (BASH) on Linux.

Known as the “Bash Bug” or “ShellShock”, the GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271) could allow an attacker to gain control over a targeted computer if exploited successfully.

First disclosed on 24 September 2014, the vulnerability potentially affects most versions of Linux and Unix operating systems, in addition to Mac OS X (which is based around Unix).

Within an hour of the announcement of the Bash vulnerability, there were reports of machines being compromised by the bug. By 25 September 2014, botnets based on computers compromised with exploits based on the bug were being used by attackers for distributed denial-of-service (DDoS) attacks and vulnerability scanning.

On 26 September 2014, a Shellshock-related botnet was being used for a DDoS attack against Akamai Technologies and to scan the United States Department of Defense.

By 30 September, the website performance firm CloudFlare said it was tracking approximately 1.5 million attacks and probes per day related to the bug.

The vulnerability affects Bash, a common component known as a shell, that appears in many versions of Linux and Unix. Bash acts as a command language interpreter. In other words, it allows the user to type commands into a simple text-based window, which the operating system will then run.

Bash can also be used to run commands passed to it by applications and it is this feature that the vulnerability affects. One type of command that can be sent to Bash allows environment variables to be set.

According to RedHat, “An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.”

Environment variables are dynamic, named values that affect the way processes are run on a computer. The vulnerability lies in the fact that an attacker can tack-on malicious code to the environment variable, which will run once the variable is received.

Read more items related to security.

Discovered on 12 September 2014, analysis of the source code history of Bash shows the vulnerabilities had existed since version 1.03 of Bash released in September 1989. The developers (and current maintainers) of BASH were immediately notified by the discoverer, in order to allow time to develop and test a security patch.

There was an original fix published for CVE-2014-6271, but within days, a second advisory was issued (CVE-2014-7169) to address further risks. Intense scrutiny of the underlying design flaws discovered a variety of related vulnerabilities, (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187); which maintainer Chet Ramey addressed with a series of further patches.

Some Digital Tsunami client sites are hosted on our own, or client-exclusive, private clouds on Linux-based platforms. These clouds had the potential to be exposed to this vulnerability.

However, within hours of the official announcement of the vulnerability, the security patch was applied to all Digital Tsunami Linux web servers. Sites hosted on the Windows platform are not subject to the vulnerability.

No Digital Tsunami clients on our private clouds were affected by the recent Heartbleed vulnerability.

Sites hosted on external servers will remain at risk until security patches are applied.

For enquiries on advanced security for your web presence, please contact Digital Tsunami Sales or Technical Support.

 

External References:
Oracle
Red Hat Security Advisory on CVE-2014-7169
Shellshocker
Symantec
Ubuntu Security FAQ
US Computer Emergency Readiness Team

From Our Clients

Quotation Mark

Our take-away menu advertised TamarindThai.com.au, even though the site didn’t exist.

Digital Tsunami offered great ideas and design to set up a professional website that matches our name, ideas and style of the restaurant.

Andrew is very knowledgeable IT professional and he never hesitated to see and consult us in the restaurant.

Amy & Gabriel Rey
Restaurateurs
Sydney, NSW, Australia
Tamarind Thai
Quotation Mark

.. very knowledgeable, creative and patient while also pushing me to work through the many decisions such a project involves.

Corinna Sager
President
Montclair, New York, USA
Lifestyle International
Quotation Mark

Thank you for the development of an updated brand image for Wah Yuet in China.

While originally contracted to produce a video highlighting Wah Yuet's manufacturing capabilities, it was apparent very quickly that your understanding of our requirements, combined with your experience, were the perfect fit to create a new logo and style guidelines for the company. While relatively small in scope, you were dedicated to the success of the project and I am pleased to say that you hit the bullseye!

Stephen Pollack
Marketing Director
Lexington, Kentucky, USA
Quotation Mark

We have been a client of Digital Tsunami now for a number of years.

As an ASX listed company, we seek reliability with our suppliers. Digital Tsunami have proven they are reliable and trustworthy multiple times.

We host multiple websites and services through them, and use them for technical and creative work.

There has never been an issue, they are always on top of all technical details, and simply provide the best possible solution around a given budget, and get things right first time. Clearly they have excellent quality controls and that shows in their services.

Adam Connell
Marketing Executive
Adelaide, SA, Australia
Quotation Mark

Since 2003, Digital Tsunami has collaborated with Personal Broadband Australia to deliver many online solutions, including the latest www.pba.com.au site.

Central to the development process is Digital Tsunami's thorough understanding of the project needs, clear and constant communication, and creative, innovative and meticulous approach to delivering solutions.

The results are clean, intuitive, refined and cohesive, with rapidly loading pages and extremely high usability.

The benefit to PBA of this long-term relationship has been the highly effective way in which Digital Tsunami has implemented and enhanced my vision on every project.

Sharon Don
General Manager, Products and Services
Sydney, NSW, Australia
Personal Broadband Australia
error: We appreciate that you value our content. You are welcome to link to this page, but content is copyright protected.