What is the Bash Bug?

Posted by on in Security

 

The HeartBleed bug was very bad taking down servers all across the Internet. It is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

 

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

 

As bad as Heartbleed was the Bash bug is potentially much worse. It is the recent discovery of a flaw in the popular bash command shell. Bash is used as the command interpreter for many Linux systems including Red Hat, CentOS, Ubuntu and Debian and also ships with Mac OS X.

 

The vulnerability which was quickly nicknamed ‘shellshock’ was discovered by Stéphane Chazelas and assigned CVE-2014-6271. It allows anyone to execute arbitrary code by abusing an environment variable and launching a function containing trailing commands.

 

While patches have been issued, system administrators will be working on checking all servers and routers that use the bash shell. 

 

 

The vulnerability is so severe it has been assigned a score of 10. It is trivial to use and may be the cause of many future cyber hacks on the Internet.

 

To check if your system is vulnerable, you can type the following command:

env x='() { :;}; echo vulnerable' bash -c "echo bash bug"


If you see something like he following:

[myhost]$ env x='() { :;}; echo vulnerable' bash -c "echo bash bug"
vulnerable
bash bug
[myhost]$


then you are affected by the bash bug and will want to apply to a patch from your Linux Distro supplier. A good Sys Admin should be on top of this.

 

 

 

 

Enjoyed the article?

Sign-up for our free newsletter to kick off your day with the latest technology insights, or share the article with your friends and contacts on Facebook, Twitter or Google+ using the icons below.


E-mail address

Bill has been a member of the technology and publishing industries for more than 25 years and brings extensive expertise to the roles of CEO, CIO, and Executive Editor. Most recently, Bill was COO and Co-Founder of CIOZone.com and the parent company PSN Inc. Previously, Bill held the position of CTO of both Wiseads New Media and About.com.

Comments



White Papers