The Bash Vulnerability: How to Protect your Environment

Posted on Posted in Hacker News
A recently discovered hole in the security of the Bourne-Again Shell (bash) has the majority of Unix/Linux (including OS X) admins sweating bullets. You should be, too–attackers have already developed exploits to unleash on unpatched web servers, network services and daemons that use shell scripts with environment variables (this can include network equipment, industrial devices, etc.)
Jaime Blasco, AlienVault Labs Director, gives a good explanation of the exploit in this blog post. And, the video below gives you a quick overview of how AlienVault Unified Security Management (USM) can detect malicious traffic on your network trying to locate and exploit this vulnerability.
Basically, this vulnerability allows an attacker to execute shell commands on a server due to an issue in how bash interprets environment variables (such as “cookie”, “host”, “referrer”). Exploiting this allows an attacker to run shell commands directly. Once they have access to run shell commands, they own the server.
What can I do?

If you’re already sanitizing inputs across your web applications to protect against SQL injection and cross-site scripting, you’re on the right track. This will give you at least a basic defense.

While CGI is still around on most sites, it is usually restricted to little bits of code that have been around for years. These bits of code have probably not updated under the rule-of-thumb “If it ain’t broke, don’t fix it.

Well – guess what? It’s broke. Fix it. It’s time to find an alternative. But, in the mean time, it’s a good idea to disable any CGI that calls on the shell.

Some have recommended using something other than bash in your applications (Dash, Fish, Zsh, Csh, etc) but be sure to put some thought and careful planning into that instead of a knee-jerk ‘rip and replace’. Certain shells might work differently or even be missing some of the bash functionality that your applications rely on, rendering them inoperable.
Facebooktwittergoogle_plus

Leave a Reply