Bash Vulnerability

A new security vulnerability known as the GNU Bash or Shellshock bug could be make a major disaster to systems and Web hosts and even Internet-connected devices.

In a blog post yesterday, Robert Graham of Errata Security noted that someone is already using a massive Internet scan to locate vulnerable servers for attack. In a brief scan, he found over 3,000 servers that were vulnerable “just on port 80″—the Internet Protocol port used for normal Web Hypertext Transfer Protocol (HTTP) requests. And his scan broke after a short period, meaning that there could be vast numbers of other servers vulnerable. A Google search by Ars using advanced search parameters yielded over two billion webpages that at least partially fit the profile for the Shellshock exploit.

Ars Technica reports that the vulnerability could affect Unix and Linux devices, as well as hardware running Max OS X. According to Ars, a test on Mac OS X Mavericks (version 10.9.4) showed that it has “a vulnerable version of Bash”.

Impact
CVSS Severity (version 2.0):
CVSS v2 Base Score:10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)
Impact Subscore: 10.0
Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Robert Graham Blog
http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html#.VCU49hb3QdQ

RED HAT Post
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

GitHub Post

Ars Technica Post
http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/

NSD
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

http://arstechnica.com/security/2014/09/concern-over-bash-vulnerability-grows-as-exploit-reported-in-the-wild/
http://www.cnet.com/news/bigger-than-heartbleed-bash-bug-could-leave-it-systems-shellshocked/

Advertisements

Posted on September 26, 2014, in General, LInux Based. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: