The widespread critical vulnerability Shellshock is the new Heartbleed. Also dubbed the “Bash Bug,” it affects GNU Bash, a very common open source program. It’s a major vulnerability but might not be a major threat depending on how quickly everything gets patched.
The GNU Bash bug is widespread and requires very little technical knowledge to exploit. It allows someone to remotely take control of a system that uses Bash. It is on par with the recent Heartbleed vulnerability in terms of the scale of potential damage.
GNU Bash is a command shell used on Linux, Mac OS X and BSD. Linux is everywhere. It’s on more than half the servers on the Internet, on Android phones, and most connected devices collectively referred to as the “Internet of Things,” thanks to Linux being open source and often the OS of choice for web stuff.
Complicating the matter is the fact that there are many Linux distributions. All of the major distribution providers have released a patch available in the base repository that provides at least a partial fix. Many are working feverishly towards fixing the vulnerability.
Cloud and hosting providers are all trying to keep customers safe. Given the amount of customers on a cloud and the amount of control they have over configurations, the vulnerability is a major concern.
This problem is not unique to one service provider, though all providers are notifying customers. Rackspace, for example, is advising customers to patch, and others are providing ongoing status or rolling out patches to those that have automatic updates. Updates for Rackspace customers are available at https://status.rackspace.com/.
Popular digital currency Bitcoin is also a potential target. Bitcoin Core is controlled by Bash, possibly affecting Bitcoin miners and systems. Given the worth of Bitcoin, it’s a potentially attractive target, according to Trend Micro.
Major Linux distro provider Red Hat updated customers today: “Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169.
Trend Micro has seen attacks in the wild already. It is providing some tools here.
Troy Hunt goes into more detail about Bash, what it is, what the problem is and the potential ramifications. “The potential is enormous – ‘getting shell’ on a box has always been a major win for an attacker because of the control it offers them over the target environment,” he writes.