You’ve probably read the news about the Shell Shock vulnerability this morning. Yup – we got a new one on our hands. A problem newly discovered – but has existed for 22 years. The CVE-2014-6271 summary states:
“GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.”
Invisible Threat describes it even better:
“A fun Bash bug: it doesn’t stop interpreting a variable at the end of a functions, and is, therefore, susceptible to arbitrary command execution. If you’re using CGIs, this becomes RCE.”
Invisible Threat nailed it – Bash is susceptible to arbitrary command execution. In my post “Security layers above framework level” I touched upon the problem that many developers think that the framework should take care of security and that knowing a framework takes a lot of effort. In retrospect I should have called it the “tool chain” instead of framework. Bash IS a part of the tool chain – Apache too, not just the framework. I admit that knowing the intricate details about any part of the tool chain is impossible.
So – in a corporate setting – what are we to do now? First and foremost we need to know the big picture of the vulnerability. Get to know the gritty details and where and how it can hurt us. Then we must make sure that our core system are not affected and when we can expect them to be fully updated and patched. Our core systems may be our internal IT system(s) and our hosting partners (of past and present). Being open on communication is vital. Also – now it is time to work on that emergency plan the company were advised to make several years ago. And then … Go on work on making your product(s) even safer.
I might make come back to this topic when the dust has settled.