Currently known as ‘Shellshock’ or ‘the bash bug,’ the GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271) affects almost all Linux, UNIX, and Mac OS X operating systems (which are based on UNIX).
Administrators are being urged to patch immediately as the bug is wide-spread, extremely serious, and attacks exploiting it are easy to implement.
There is no effect on SSL Certificates and Shellshock does not require any action related to certificate management.
What Is Bash and What Does the Bug Do?
Bash is a command-line shell used in many Linux and UNIX operating systems. In it’s most basic form it allows users to type commands into a text-based window that the operating system will then run. While Bash is often thought of as simply a local shell, it is arguably one of the most installed utilities in any Linux system.
Many applications invoke bash to run external commands, like CGI scripts—and this is where Shellshock comes in. As an example, an attacker could provide malicious input in the HTTP request headers to a CGI script on an Apache server. The Apache server will put the malicious request header into an environment variable (such as HTTP_USER_AGENT) and then execute the requested CGI script. When Bash is invoked by the Apache system call, the Shellshock bug would cause Bash to execute any commands in the malicious environment variable that Apache had set to prepare the CGI environment.
How Bad Is It?
The National Vulnerability Database rated the bug a 10 out of 10 for severity, impact, and exploitability and low for access complexity—meaning it’s pretty easy for attackers to exploit it. Others are saying that Shellshock is ‘the next Heartbleed.’
For those whose system configurations are vulnerable to the Bash bug, the potential havoc that could be wreaked by an attacker is extremely serious. However, specific conditions need to be in place for a system to be vulnerable to this bug. As mentioned, systems utilizing CGI scripts are vulnerable to remote command execution. Some OpenSSH configurations and some DHCP clients are also affected.
What Should I Do?
Though only some configurations are vulnerable to the bug, the extent to which this vulnerability could be exploited is not fully known. We recommend patching any systems that use Bash as soon as patches are available.
Most of the major Linux vendors have already issued packaged patches. All system administrators should patch systems using Bash as quickly as possible.
As of today Mac OS X has not yet released a patch.
Is DigiCert Affected by Shellshock?
We heard about the bug early in the morning on September 24, but our CA servers are unaffected by the bug. We have verified that we don’t use any exploitable configurations in our web environment and will continue to carefully monitor our systems as always.
We have also verified that none of our systems are exploitable with the new CVE-2014-7169 bug. Though no proven patches exist yet we will continue to monitor the situation.