The Shellshock Bug Hits Linux and the Internet of Things



The security world came abuzz recently when a very serious bug was announced in the GNU Bash shell. It’s a bad one, easy to exploit and with serious results. The new trend is to give a significant bug a catchy name and logo, and this one quickly became known as Shellshock.

Here is a quick test you can run on your system. The line reading vulnerable only appears if your Bash shell is vulnerable, you instead get an error message on patched systems:

bash-4.2$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

Note that this is not limited to being just a Linux vulnerability. It’s worse, the vulnerability exists in any operating system with the Bash shell of versions 1.14 through 4.3 installed. That includes many “Internet of Things” embedded devices which you can’t patch, in addition to Mac OS X plus Unix-family operating systems. Bash is the default shell in Mac OS X and most Linux distributions (all of the ones I’m familiar with) and it’s frequently added to commercial Unix operating systems (Solaris, HP-UX, etc) and even the security-focused OpenBSD.

The bug has been around for a long time, the v1.14 tar files in the FTP archive date to 1994! This means that vulnerable versions are in many Internet-exposed systems.

The bug was designated CVE-2014-6721 and a patch was issued. However, they quickly discovered that the patch didn’t solve the problem and a second CVE designator was assigned, CVE-2014-7169. Scans and attacks were underway within 4.5 hours of the announcement.

The problem, clearly described in a Red Hat security blog, is caused by inappropriate handling of environment variables. Bash is a superset of the Bourne shell plus features from the Ksh and Csh shells and more, including ideas from Awk and even Perl. “Feature creep” may have contributed to the appearance of the bug.

The risk is compounded by the use of Bash by Internet services. An Apache server might run CGI scripts which are written in Bash, or which are written in C, Python, or Perl but then spawn subshells which will use Bash. Shellshock is a code injection attack, meaning that a remote attacker can provide arbitrary commands that will be executed with the privileges of the vulnerable service.

The vulnerability could lead to a worm, automatically propagating malware. A DHCP client will run shell scripts to configure networking. Those scripts must run with root privileges. Once you have a hostile DHCP server within an organization, it could pass along malicious strings which would then be inappropriately executed with root privileges on the DHCP clients.

As for the “Internet of Things”, if you have a BluRay player with an Ethernet jack it almost certainly contains an embedded (and largely unpatchable) Linux system, but that is safely behind your NAT router and firewall. Internet-facing webcams are certainly at risk, however.

In Learning Tree’s Linux Administration and Support course we show how to set up Yum and make updating and patching easy, and we stress the importance of keeping systems up to date.

Test your servers!

Patch your servers!

Bob Cromwell

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.