Leading Linux vendors mitigate ‘bash’ security nightmare


By Scott M. Fulton, III 

Just days after folks took the White House to task for failing to lock the front entrance of the building and letting an intruder walk right in, an almost comically severe bug was found in one of the processes commonly used in Linux and Unix for remote script execution. Details of the bug were kept silent from the press until Wednesday.

Even then, the blog to which the U.S. Dept. of Homeland Security directed admins for details–Red Hat’s security blog–was unavailable Thursday morning.

The bug affects bash, a simple processor of command-line instructions in batch format. It’s my policy with respect to reporting vulnerabilities to refrain from revealing enough information for any individual to immediately conduct an exploit.

That said, the exploit is, unfortunately, ridiculously simple–so much so, that it’s difficult to notexplain. There are ways to pair multiple commands and statements on the same line. In this vulnerability, which theoretically can impact any version of Unix or systems inspired by it, there’s one command which leaves open the front door for any other command paired on the same line with it to be executed as though it had the highest privilege level available.

The very first batch command “worms” involving networked CP/M, which were demonstrated at computer conferences during the early 1980s as a joke, involved processing a command that forwarded a file that could be executed remotely by that computer’s same version of the command line.  It wasn’t so much malicious as a kind of trick, and early hackers actually thought it was cool to sit back and watch it happen.

On Wednesday, security engineer Robert Graham–who had diligently kept the secret details to himself until the embargo had lifted–reported that essentially the same trick could be used to “wormify,” if you will, the Bash bug. Without precisely explaining how it’s done, Graham said that CGI scripts for Web servers could be vulnerable. The obvious implication there is that an unchecked paired Bash command could trigger the execution of a Web server script, perhaps with the same unlimited privilege.

Put another way, all the security the world has ever had has left the front door of the kingdom ajar for the last quarter-century, and that fact was only discovered by an innocent bystander.

Sadly, advice given by a security engineer Wednesday night on how to test systems for vulnerability consisted of the exploit itself. Anyone parsing the test with the naked eye could immediately see how the exploit is carried out.

However, operating system vendors did work diligently to incorporate patches developed throughout the Linux community, who also kept the existence of the bug out of sight from public sources until Wednesday. US-CERT, which officially broke radio silence, has published immediate patches for four leading Linux distributions: CentOS, Debian, Red Hat and Ubuntu.

In deference to the need for major vulnerabilities to have their own PR representatives, the Bash bug has been dubbed “Shellshock.” Inevitably it will be referred to in TV news broadcasts by that name.

Related Articles:
Firefox security fix points to deep flaws in chain of trust
Intel hopes aynchronous OpenSSL will thwart future Heartbleed

Read more about: Bash bug

Jarrett Neil Ridlinghafer
Founder & CEO
Synapse Synergy Group, Inc.
“Virtual Think-Tank|Incubator|Accelerator”
LinkedIn Profile: LinkedIn.com/in/jnridlinghafer
Twitter: @CloudWiser
Twitter: @SynapseSynergy
Twitter: @jnridlinghafer
Google +: https://plus.google.com/+JarrettNeilRidlinghafer
Email: info@synapsesynergygroup.com