Last week we posted discussion about the GNU BASH/Shell Shock vulnerability that affects Unix/Linux based operating systems, including Apple’s OS X, Oracle products, Apache servers and routers world-wide. BASH is free software built into more than 70% of machines that connect to the Internet.
A little more background: BASH is an acronym for the command processor Bourne Again Shell developed and released for the GNU (Gnu stands for “Gnu Not Unix!”) open source operating system by Brian Fox in 1989. Linux, an open source operating system developed by Linus Torvalds 23 years ago, uses BASH as its default shell. Linux is the most ported OS in the world, and operates the majority of enterprise servers, mainframes, and supercomputers used today.
BASH is now maintained by Chet Ramey, a volunteer out of Case Western Reserve University in Ohio. When the Shellshock vulnerability was announced last week, Ramey immediately implemented patches thought to solve the vulnerability.
When BASH popped up on industry’s collective radar, two patches were released in short order. Over the weekend Google researchers Tavis Ormandy and Michael Zalewski discovered weaknesses in the patches which resulted in release of two additional patches; CVE-2014-6277 and 6278. The first Ormandy/ Zalewski vulnerability “is a parsing issue that can most likely be exploited remotely,” according to Zalewski’s blog.
The other newly discovered flaw (CVE-2014-6278) may be the most damaging because it allows “very simple and straightforward remote code execution on the systems that are patched against the first bug,” and Zalewski continued, “It’s a ‘Put your commands here,’ type of a bug, similar to the original report.” He plans to release more details on the vulnerabilities in the coming days.
Further research revealed two more bugs, CVE-2014-7186 and 7187, the severity of which has yet to be established. (Tech Target, September 29, 2014). Last week Apple assured users that the vast majority of Mac’s are not susceptible to Shellshock, and released two patches yesterday; but C|net reports that a third weakness has been discovered. With so many machines using Unix/Linux with BASH across the globe, there will likely be more to come.
When Torvalds released Linux in 1991, he was a 21 year-old student at University of Helsinki in Finland. His goal was to provide a free (non-proprietary) environment for software developers. Obviously, pioneers of the open source movement like Torvalds didn’t imagine that their technologies would become such critical components of the world-wide cyber infrastructure, exploitable by criminals with the potential to devastate organizations and businesses of all sizes. If they had known, they would most certainly have built security into their systems.
EdgeWave continues to monitor and apply solutions to vulnerabilities in Unix/Linux based systems and all other platforms 24 hours a day, seven days a week, with military grade technology and cyber security team. We will continue to provide updates on BASH/Shell Shock.