GNU Bourne-Again Shell (Bash) Vulnerability – Bash Bug

images Bash bug — In the beginning it was the command line, like text message conversation to avoid GUI. Commands were used to create file, move file and delete files. Then came bash with multiple instructions transmitted in the quote (”). Bash serves as a command orchestra. In programming we declare variables, like X = ‘This is a vulnerability patch’, and later we recall that by echo $X ~ special string of character – This is the bug, everything inside this quotes are treated as text, and never considered as command.

But in bash if you type X = ‘() {:;}; rm -rf /’  it trip’s up and start to act like command line instruction instead. Different programs talk to each other using this bash, instead of writing numerous command again and again, they uses bash to communicate. Rather than trying to rewrite code, applications can call smaller programs and uses bash because it is trusted to be safe. RISKS The input from the world, anything from random user, if they have been maliciously crafted to include that special string of characters. Anyone with such types of skills can run dangerous commands to your web server, which is known as remote code execution. Random users can crash the service, or probably do much damage exploiting bash. The vulnerability potentially allows a remote attacker to run malware, or malicious code, on affected systems. Given the broad use of the Bash software tool, the vulnerability may be present in financial institutions’, customers’, and third-party service providers’ systems. Attackers could use the vulnerability to access and take control of systems, leading to a range of operational risks. These risks may include the loss of confidentiality, integrity, and availability of sensitive customer information and confidential business data. Additionally, such access could facilitate data destruction, disruption of operations, and fraud. And the really bad news is that this bug is sitting unnoticed for about 25 years, there is hell lot of patching to do. Lesson for end users: To make sure the devices are upto date with patches and security fixes. Servers that are required to be patched: Anything that runs bash, since bash is for Unix, Linux and Mac OS flavored operating systems, windows isn’t included for this.

How to check whether patch is applicable in Unix flavored machines: This is the command to check whether the bash version is vulnerable: env x='() { :;}; echo vulnerable’ bash -c “echo this is a test” If the output of the above command looks as follows: vulnerable this is a test Then you are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to: $ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test” bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x’ this is a test Patches can be downloaded from the repository.

Reference: http://www.ffiec.gov/press/PDF/FFIEC_JointStatement_BASH_Shellshock_Vulnerability.pdf “Bourne-Again Shell (Bash) Remote Code Execution Vulnerability” (CVE-2014-6271 and CVE-2014-7169) http://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability FFIEC Information Technology Examination Handbook, “Development and Acquisition” http://ithandbook.ffiec.gov/it-booklets/development-and-acquisition.aspx FFIEC Information Technology Examination Handbook, “Information Security” http://ithandbook.ffiec.gov/it-booklets/information-security.aspx FFIEC Information Technology Examination Handbook, “Operations” http://ithandbook.ffiec.gov/it-booklets/operations.aspx https://www.fdic.gov/news/news/financial/2014/fil14049.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s