Shellshock Bash bug could be bigger than Heartbleed
Although it seems that the Heartbleed bug wasn't exploited before its existence was disclosed, that doesn’t mean the security world can rest on its laurels.
The latest problem to be revealed is a bug in the commonly used Bash command interpreter that poses a critical risk to Linux and Unix systems. And since these form the backbone of the internet and are in many other systems as well it's a threat to the rest of us too.
The bug called Shellshock, discovered by Linux specialist Stephane Chazelas, is present in versions of Bash up to and including 4.3 and has potentially been there for many years. It poses a particular risk to Apache web servers. CGI scripts that use or invoke Bash are vulnerable to remote-code injection. This includes any child processes spawned by a script. OpenSSH and some DHCP clients are also affected on machines that use Bash.
Systems based on Debian -- including Ubuntu -- shouldn't be at risk since they use Dash. However, it's possible versions of Bash may be present so it's important that admins check which interpreters are installed and patch them if needed.
According to Darien Kindlund of security company FireEye, "It's worse than Heartbleed, in that it affects servers that help manage huge volumes of Internet traffic. Conservatively, the impact is anywhere from 20 to 50 percent of global servers supporting web pages".
A further problem is that Apple systems use Bash as the basis of their command line Terminal program. In addition Robert Graham of Errata Security warns that, "Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world".
Graham also notes, "Unlike Heartbleed, which only affected a specific version of OpenSSL, this Bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed".
Linux distros have responded quickly and patches are already available for most major flavors. Apple had yet to respond at the time of writing but advice on testing for and responding to Shellshock is available at StackExchange.
Security company Secunia has released an advisory saying that the patch issued by GNU -- the open source project behind Bash -- is ineffective but GNU is expected to "release another patch today due to the criticality of this vulnerability".
Security researchers Bromium Labs suggests that, "... this likely won't be the last vulnerability found in Bash. Application developers should try to avoid invoking shells unless absolutely necessary, or use minimalist shells where required".