What is Bash?
Bash is the shell, a shell is a program that translates your commands into something the device's OS can understand or command language interpreter, for the operating system. The name is an acronym for the ‘Bourne-Again SHell’, a pun on Stephen Bourne, the author of the direct ancestor of the current Unix shell sh, which appeared in the Seventh Edition Bell Labs Research version of Unix. Bash is the default shell and is quite portable. It currently runs on nearly every version of UNIX and a few other operating.
1. The Bash Bug explained !
What is Bash?
Bash is the shell, a shell is a program that translates your commands into something the device's
OS can understand or command language interpreter, for the operating system. The name is an
acronym for the ‘Bourne-Again SHell’, a pun on Stephen Bourne, the author of the direct
ancestor of the current Unix shell sh, which appeared in the Seventh Edition Bell Labs Research
version of Unix. Bash is the default shell and is quite portable. It currently runs on nearly every
version of UNIX and a few other operating.
The bad news
Security researchers have discovered a vulnerability in the system software used in millions of
computers, opening the possibility that attackers could execute arbitrary commands on web
servers, other Linux-based machines and even Mac computers.
The bug was discovered by Stéphane Chazelas, a French IT manager working for a software
maker in Scotland.
Some researchers say Shellshock, which affects Bash (which is why it's often simply called the
"Bash Bug"), is potentially more serious and widespread than the Heartbleed bug discovered in
April, though the two vulnerabilities are quite different in nature.
Unlike Heartbleed, which forced users to change their passwords for various Internet services,
Shellshock doesn't appear to have any easy solutions for average users right now. In most cases,
it will be up to system administrators and software companies to issue patches.
2. The Risk
Here's how the bash bug works, as explained by cybersecurity expert Robert Graham.
The problem stems from a flaw in the "bash," a type of computer program called a shell. A shell
translates commands from you to a device's operating system. Think of it as an efficient
middleman. Lots of Internet-connected devices use the bash shell to run commands, like "turn
on" and "turn off." Generally, a device that communicates using a bash shell also looks for extra
information, like what browser or device you're using. And that's where the problem lies.
If a hacker slips bad code into this extra data, they can sneak past a device's safeguards.
A "smart," Internet-connected light bulb then suddenly becomes a launchpad to hack everything
else behind your network firewall, Graham said. That could be your home computer, or a
retailer's payment terminals, or a government office's sensitive database of information.
"This is the problem with the 'Internet of Things.' We're putting all these things on the Internet
without any expectation of actually patching them in the future," Graham said.
After conducting a scan of the Internet to test for the vulnerability, Graham reported that the bug
"can easily worm past firewalls and infect lots of systems" which he says would be "'game over'
for large networks".
The Shell
Tod Beardsley, an engineering manager at security firm Rapid7, warned that even though the
vulnerability's complexity was low, the wide range of devices affected require that system
administrators apply patches immediately.
"This vulnerability is potentially a very big deal," Beardsley told CNET. "It's rated a 10 for
severity, meaning it has maximum impact, and 'low' for complexity of exploitation -- meaning
it's pretty easy for attackers to use it.
"The affected software, Bash, is widely used so attackers can use this vulnerability to remotely
execute a huge variety of devices and Web servers. Using this vulnerability, attackers can
potentially take over the operating system, access confidential information, make changes etc.
Anybody with systems using bash needs to deploy the patch immediately."
What makes this particular bug problematic is the fact that Bash is the default shell in Mac OS X
and many Linux machines, meaning it's also used in many web servers.
3. Much worse is the fact that a lot of applications invoke Bash for many different reasons, opening
the path for a number of different ways to exploit this vulnerability.
Red Hat's security team explains this: "This issue affects all products which use the Bash shell
and parse values of environment variables. This issue is especially dangerous as there are many
possible ways Bash can be called by an application. Quite often if an application executes
another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash
shell, this issue is quite serious and should be treated as such."
The Test
There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system,
from a command line, type:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the system is vulnerable, the output will be:
vulnerable
this is a test
An unaffected (or patched) system will output:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
The fix is an update to a patched version of the Bash shell. To be safe, administrators should do a
blanket update of their versions of Bash in any case.
References