Posted by: Tony Gravagno in: Tech
A security bug in BASH has been identified. News is spreading fast all over the internet. Details here – or just Google for “shellshock”. Updates will be made to this blog page as required. This page will be focused on the MultiValue industry and will not be updated with general breaking news, as that information is easily found elsewhere.
This bug is being referred to as a Linux bug but it also affects OS-X and Cygwin. At this times AIX does not appear to be affected. Routers and other Linux-based hardware devices are subject to the issue. It does not affect Windows.
Most CGI utilities come in through BASH. CGI sets environment variables which are then passed to your application. The bug allows an inbound HTTP header to be set (very easily), where an unexpected command can then be executed on Linux. This happens during BASH initialization, before your code runs.
It seems other vectors of attack are being discovered. For example, some systems have /bin/sh symbolically linked to /bin/bash – so you think you’re not running BASH but you are. It’s possible that OpenSSH has some vulnerabilities, as well as some DHCP clients. KSH and Dash should be safe but switching shells can be difficult.
This is not a new issue. It is a flaw that has existed for decades but has only recently been discovered. Old systems are no more or less protected than newer ones. Old systems will need to be patched or replaced.
This issue is going to be severe for many sites. If you or your clients are running Apache and don’t explicitly need CGI, disable all CGI directories in your HTTP configuration. If you need CGI, you must patch systems ASAP. This applies to all sites running FlashCONNECT, Coyote, and possibly other connectivity products for D3 and other MultiValue platforms. It is expected that bots will quickly start trying to infect machines using this simple exploit.
What do you need to do?
EDIT: See the 01-Oct-2014 update.