Red Hat uncovers UNIX-based shell bug, ‘worse than Heartbleed’
Shellshock gives access to wide variety of attacks through simple cut and paste
A Red Hat security team has uncovered a flaw in UNIX-style command interpreter tool Bash, which, according to analysts, could prove as deadly as Heartbleed.
Bash is one of the most widely used tools in the Linux install base, and many applications run the shell in the background. According to Red Hat's security blog, Bash can be used to "provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc)".
When the Bash shell is invoked it can be initialised with environment variables that can contain code. This leaves the host system open to a number of attacks, run through code that can simply be pasted in. The Bash bug is also going by the name "Shellshock".
"Red Hat has issued security advisories that fix this issue for Red Hat Enterprise Linux," the company said on its security blog. "Fedora has also shipped packages that fixes this issue."
Robert David Graham of Errata Security and Dan Guido, chief executive of Trail of Bits, compared Shellshock to the infamous Heartbleed, which affected a specific version of the open-source implementation of SSL.
Rapid7 engineer Tod Beardsley, said the Bash flaw was rated "10", the highest possible level of severity. It was also given a low complexity rating, because malicious commands could be pasted into the shell programme.
"Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, et cetera," Reuters quoted Beardsley as saying. "Anybody with systems using Bash needs to deploy the patch immediately."
According to Reuters, the US Department of Homeland Security's US Computer Emergency Readiness Team (US-CERT) said the flaw affected UNIX-based systems, including Linux and Mac OS X. The team also advised users to apply available patches as soon as possible.