Article updated at 16h – Operating the fault alerts are already beginning to multiply. The Australian CERT pulled the alarm first, but it is not the only one. Security researcher Yinette states also have observed the first attacks. For his part, another researcher, Robert Graham, would have identified 3,000 vulnerable systems.
“bash” or “Bourne Again Shell” is the environment console by default Linux and Unix, including Mac OS X. A flaw in this component represents a serious security risk for users of these systems.
Now a researcher Stephane Chazelas comes precisely to identify a vulnerability in Bash, a flaw that according to several security experts could present a higher than Heartbleed, affecting OpenSSL libraries risk.
More dangerous than Heartbleed
The vulnerability in the shell is the way Bash interprets variables. Could allow an attacker with specific variables exploit this software flaw to execute shell commands.
But, in theory, to carry out such an attack, the attacker is expected to already have to access to the vulnerable system. However, the security team of Red Hat states that “certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.”
Therefore, if an application calls a shell command Bash via an HTTP or CGI (Common Gateway Interface) script in a way allowing the user to insert data, the Web server is vulnerable to an attack.
Thus, according to Andy Ellis, the director of IT Akamai Technologies security, vulnerability Bash potentially affects a large number of applications. Risk further increased when applications call scripts as root or superuser.
A vulnerability already exploited
Lexsi , which describes the fault of “Shellshock,” even said that it “operates is trivially small with only 3 lines of code.” This “over 20 years”, this vulnerability has already been exploited, found the security cabinet.
To prevent attacks, it is preferable to control inputs (inputs) on Web applications and disable CGI scripts was a call on the shell. Akamai also recommends switch to a shell other than Bash. However, not all use the same syntax and similar functions. Applications may therefore encounter malfunctions.
Finally, it is essential to download patches available. Developers Bash and patched versions 3.0 to 4.3. In terms of distributions, Red Hat and Debian offer patches in the form of packages. Other publishers involved should max out their lead.
No comments:
Post a Comment