Linux Bash bug could be bigger threat than Heartbleed

[leemoo]

A bug in the Bash software used to control the command prompt in many Unix computers could be a bigger threat than the Heartbleed OpenSSL bug, security experts have warned.

They have urged any organisation running Unix-based computers should install the security update immediately.
Security.jpg

Hackers could exploit the flaw in Bash (Bourne Again Shell) to take complete control of a targeted system, prompting the UK Computer Emergency Response Team (CERT-UK) to issue an alert.

According to the alert, the Bash bug affects Unix-based operating systems, including Linux. However, CERT-UK said it is not yet clear whether other Unix-based systems, such as Apple’s Mac OS X, Google’s Android and other embedded systems in internet of things (IoT) devices, are affected.

To test if a system is vulnerable, CERT-UK said users can enter the command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be: vulnerable this is a test

An unaffected (or patched) system will output: bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test

More info Bash bug could be bigger threat than Heartbleed

 

[leemoo]

Some patch updates in following thread http://www.checkpoint.com/blog/protecting-shellshock/index.html?utm_source=Sapphire+Mailing+List&utm_campaign=4e8de3303e-1409_SShock9_26_2014&utm_medium=email&utm_term=0_5ebac71f82-4e8de3303e-79281437

Also some online checkers in that thread as well

 

[Him Her]

Until a patch is available connect to your systems remotely using encryption (vpn to the router etc.) and close any ports that allow direct access to Bash or services that could spawn to it such as Apache.

This exploit has been around for a while though so don't get too paranoid

 

[leemoo]

Your right mate it has been around for a while just like heartbleed.
But now it has been made public then its a case of whether the criminals can penetrate the internet facing systems with this vulnerablity before they can pacth them.

Makes you wonder the NSA and other similar agencies must surely have known about these and exploited them for there own gain.

How many more exploits like this are about that we don't know about is the big question for me?!