Weblog

by Bas under | 0 comments

The ‘Shellshock’ vulnerability in bash

As you may already have read late yesterday a large vulnerability called 'Shellshock' was found in bash, a software package used on virtually every Linux, Unix and Mac OSX server. Bash is most known as a shell interpreter which allows logged-in users to execute commands.

Apart from this bash is used extensively in a number of different ways such as shell scripts, supporting language for packages like CUPS and DHCP clients and in some cases as the language of choice for CGI scripts.

The vulnerability presented yesterday allows attackers to manipulate environment variables which are then treated as commands and executed by bash. This also means that all systems using bash are in theory vulnerable, the extent however to which they are vulnerable is determined by the way bash is used.

In practice this means that most systems are not vulnerable to remote attacks but only to local attacks. Only a small percentage of all systems is remotely exploitable. However, since it is quite difficult to determine wether a system is indeed vulnerable to remote attacks it is reccommended to upgrade as soon as possible.

Protection

All large Linux distributors (Red Hat, Ubuntu, Debian, Mint etc) have released updates through the regular channels. These updates fix the most important vulnerabilities but unfortunately as was announced today not all vulnerabilities. However, the remaining ones are considered to be of a much lower risk. Therefore the advice to upgrade as soon as possible remains.

The definitive update is expected to be released soon and will be made available again through the regular channels.

To install the update on RPM-based systems the following command can be used:

yum update bash

To install the update on Debian-based systems the following command can be used:

apt-get update && apt-get install bash
CloudVPS Actions

As this vulnerability comes with great risks we have upgraded both the CloudVPS infrastructure and most servers of customers with an SLA2 or SLA3. If you don’t have an additional service level agreement but would like us to update your server please send us an email at support@cloudvps.com. We’re happy to install the updates for you for a small fee.

More information

More information about the incomplete update can be found here:
https://access.redhat.com/articles/1200223

For a more technical background to this vulnerability please see here:
http://seclists.org/oss-sec/2014/q3/650 and http://seclists.org/oss-sec/2014/q3/685

Tags:

Comments (0)

Leave a comment

Commenting is not available in this channel entry.
VPS Bestellen
VPS Bestellen