Thursday, September 25, 2014

Bash Unix / Linux: a critical flaw identified and exploited – ZDNet

Article updated at 16h – Operating the fault alerts are already beginning to multiply. The Australian CERT pulled the alarm first, but it is not the only one. Security researcher Yinette states also have observed the first attacks. For his part, another researcher, Robert Graham, would have identified 3,000 vulnerable systems.

“bash” or “Bourne Again Shell” is the environment console by default Linux and Unix, including Mac OS X. A flaw in this component represents a serious security risk for users of these systems.

Now a researcher Stephane Chazelas comes precisely to identify a vulnerability in Bash, a flaw that according to several security experts could present a higher than Heartbleed, affecting OpenSSL libraries risk.

More dangerous than Heartbleed

 The vulnerability in the shell is the way Bash interprets variables. Could allow an attacker with specific variables exploit this software flaw to execute shell commands.

But, in theory, to carry out such an attack, the attacker is expected to already have to access to the vulnerable system. However, the security team of Red Hat states that “certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.”

Therefore, if an application calls a shell command Bash via an HTTP or CGI (Common Gateway Interface) script in a way allowing the user to insert data, the Web server is vulnerable to an attack.

Thus, according to Andy Ellis, the director of IT Akamai Technologies security, vulnerability Bash potentially affects a large number of applications. Risk further increased when applications call scripts as root or superuser.

A vulnerability already exploited

Lexsi , which describes the fault of “Shellshock,” even said that it “operates is trivially small with only 3 lines of code.” This “over 20 years”, this vulnerability has already been exploited, found the security cabinet.

To prevent attacks, it is preferable to control inputs (inputs) on Web applications and disable CGI scripts was a call on the shell. Akamai also recommends switch to a shell other than Bash. However, not all use the same syntax and similar functions. Applications may therefore encounter malfunctions.

Finally, it is essential to download patches available. Developers Bash and patched versions 3.0 to 4.3. In terms of distributions, Red Hat and Debian offer patches in the form of packages. Other publishers involved should max out their lead.
 

LikeTweet

No comments:

Post a Comment