Bash Bug Has Cloud Providers, Linux Distro Firms on High Alert

The widespread critical vulnerability Shellshock is the new Heartbleed. Also dubbed the “Bash Bug,” it affects GNU Bash, a very common open source program. It’s a major vulnerability but might not be a major threat depending on how quickly everything gets patched.

The GNU Bash bug is widespread and requires very little technical knowledge to exploit. It allows someone to remotely take control of a system that uses Bash. It is on par with the recent Heartbleed vulnerability in terms of the scale of potential damage.

GNU Bash is a command shell used on Linux, Mac OS X and BSD. Linux is everywhere. It’s on more than half the servers on the Internet, on Android phones, and most connected devices collectively referred to as the “Internet of Things,” thanks to Linux being open source and often the OS of choice for web stuff.

Complicating the matter is the fact that there are many Linux distributions. All of the major distribution providers have released a patch available in the base repository that provides at least a partial fix. Many are working feverishly towards fixing the vulnerability.

Cloud and hosting providers are all trying to keep customers safe. Given the amount of customers on a cloud and the amount of control they have over configurations, the vulnerability is a major concern.

This problem is not unique to one service provider, though all providers are notifying customers. Rackspace, for example, is advising customers to patch, and others are providing ongoing status or rolling out patches to those that have automatic updates. Updates for Rackspace customers are available at

Popular digital currency Bitcoin is also a potential target. Bitcoin Core is controlled by Bash, possibly affecting Bitcoin miners and systems. Given the worth of Bitcoin, it’s a potentially attractive target, according to Trend Micro.

Major Linux distro provider Red Hat updated customers today: “Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169.

Trend Micro has seen attacks in the wild already. It is providing some tools here.

Troy Hunt goes into more detail about Bash, what it is, what the problem is and the potential ramifications. “The potential is enormous – ‘getting shell’ on a box has always been a major win for an attacker because of the control it offers them over the target environment,” he writes.

Get Daily Email News from DCK!
Subscribe now and get our special report, "The World's Most Unique Data Centers."

Enter your email to receive messages about offerings by Penton, its brands, affiliates and/or third-party partners, consistent with Penton's Privacy Policy.

About the Author

Jason Verge is an Editor/Industry Analyst on the Data Center Knowledge team with a strong background in the data center and Web hosting industries. In the past he’s covered all things Internet Infrastructure, including cloud (IaaS, PaaS and SaaS), mass market hosting, managed hosting, enterprise IT spending trends and M&A. He writes about a range of topics at DCK, with an emphasis on cloud hosting.

Add Your Comments

  • (will not be published)