I was recently doing some work at a Major Financial Institution when I overheard two systems engineers comparing notes:
“I have to install that Bash shell patch on my servers by the end of next month.”
“Hah! My servers don’t have to have it until the end of the month after that!
Guys, please. Patch your systems now.
I wrote about the Shellshock bug in the GNU Bash shell recently.
The initial bug discovery led to closer examination of the Bash parser code, leading to six CVE vulnerabilities (so far): CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187. Hackers were actively exploiting them within a few days, as reported by Wired, The New York Times, Businessweek, and elsewhere. The initial attacks were just denial of service (vandalism is always an easy starting point), but more intrusive attacks followed. For example, an infiltration of Yahoo servers by Romanian hackers.
One problem is that people want to delay the hassle of patching so they make excuses about how they don’t provide remote shell services, and they don’t have any shell-based network services exposed to the Internet.
Are you absolutely certain?
Web servers can use the Common Gateway Interface (or CGI) method to handle requests by running programs on the server. Apache’s documentation warns that CGI programs can be “extremely dangerous if they are not carefully checked.”
Any program run on behalf of of a possibly hostile client could invoke a Bash shell to do some work. C/C++ programs can use the
system() call to execute a shell command. A C programmer who appreciates the immense power of a pipeline of commands such as
sort coupled with regular expressions will quickly embed a call to
system() in a program. Why reinvent an awfully complex wheel?
The problem is the underlying C function calls “the standard shell”, which is
/bin/sh. But look at what that means on Linux:
$ ls -ld /bin /usr/bin/sh /usr/bin/bash lrwxrwxrwx 1 root root 7 Feb 3 2014 /bin -> usr/bin -rwxr-xr-x 1 root root 810048 Oct 6 10:34 /usr/bin/bash lrwxrwxrwx 1 root root 4 Oct 9 12:49 /usr/bin/sh -> bash
/bin/sh is really
/usr/bin/sh due to some fairly recent rearrangements of the Linux file system. The security issue here is that there is no simple standalone shell, the standard system shell is
This is why we emphasize the need for prompt patching in Learning Tree’s Linux Administration and Support course. Patch your systems!