Bash flaw threatens hundreds of millions of servers

Systems admins are being warned of a decades-old bug that means hundreds of millions of systems - ranging from Unix/Linux web servers to possibly Apple devices and WiFi routers - can be easily hijacked.

Bash flaw threatens hundreds of millions of servers
Bash flaw threatens hundreds of millions of servers

The ‘Bash' or ‘Shellshock' flaw (CVE-2014-6271) is being described as potentially bigger than Heartbleed and much easier to exploit.

Manufacturers are rushing out patches and issuing advice to users – outlined below.

The flaw is in the free, open-source Bash (Bourne Again Shell) command shell which has been used in most Unix, Linux and related systems for at least 20 years since the 1980s.

The bug enables hackers to exploit the ‘environmental variables' within the shell to hijack another computer or server and run their own code remotely, if the default option of remote login is allowed.

The vulnerability is reported to be present in Bash version 1.13 up to and including version 4.3, and was discovered by Stephane Chazelas.

It affects hundreds of millions of web servers. According to latest Netcraft figures, around 35 percent of the worlds' billion-plus websites are run on Apache/Unix servers - putting more than 300 million sites at risk from the flaw.

But as well as Linux and related web servers, the flaw affects numerous other systems, according to UK cyber expert Alan Woodward, a visiting professor at Surrey University's Computing Department.

Woodward said Apple “use quite an old version of Bash” and advises Mac users to disable remote login until Apple release a Bash fix, “a simple suggestion to try to ward off any attempts to remotely login using the Bash flaw onto individuals Macs”.

He told SCMagazineUK.com that Bash is in “many embedded systems such as WiFi routers. Hence it means the problem is even more widespread than just web servers. The real issue here is that these types of devices are difficult to update.”

The US-CERT cyber emergency response team agrees the flaw affects Unix-based operating systems such as Linux and Apple Mac OS X devices.

Woodward said the flaw is potentially bigger than SSL/Heartbleed and much easier to exploit.

He told SC: “Even if it's only a fraction of Apache websites, and remote logins are managed properly, it is looking like it is more widespread than Heartbleed. Worryingly it is rather more serious than Heartbleed in that it doesn't take as much skill to exploit it.”

Darien Kindlund, director of threat research at security firm FireEye, agreed about the scale of the threat.

He told journalists by email: “This bug is horrible. It's worse than Heartbleed, in that it affects servers that help manage huge volumes of internet traffic.

“Conservatively, the impact is anywhere from 20 to 50 percent of global servers supporting web pages. Specifically, this issue affects web servers using GNU Bash to process traffic from the internet. In addition, this bug covers almost all CGI-based web servers, which are generally older systems on the internet.”

In a 24 September blog post RedHat says: “Bash is perhaps one of the most installed utilities on any Linux system.”

Woodward said the lessons from this flaw are the same as with SSL/Heartbleed.

He commented: “This throws into stark relief several issues that the Heartbleed bug raised about the use of open source software - limited numbers of people maintaining software and the fact that it's not always that well-reviewed.

Page 1 of 2