Mitigate your Shell Shock risks in environments using bash

 Already being compared to the heartbleed bug last year, many across the internet are lighting up Linux user forums with tests and comments about “Shell Shock”

Shell shock is a vulnerability in the bash shell terminal that can execute code after a function is called out, and only post authorization via ssh. That said cgi scripting may allow certain other attack vectors and the entire internet is a system of servers that in most cases use bash.

Mac uses it, Linux uses it, Solaris uses it, BSD uses it.

Now essentially the likelihood of worms being developed that can bypass authorization via ssh is fairly high, and the likelihood of more people being duped into allowing privilege escalation is also high.

But this isn’t really as big as it sounds. or it wouldn’t be if there weren’t so many people trying to suggest ways of using the exploit.

I read an article the other day about how to change the root passwords in a Redhat environment, and thought to myself, “Well that was a stupid thing to announce.”

Bash itself will be patched and fixed in a matter of days or weeks in all probability, the kernel updates will erase the potential exploit and we’ll all just breathe easier as usual.

In the meanwhile turn off remote desktop sharing, turn off ssh, turn on your firewalls and if you aren’t using the servers on your system turn those off as well.

There are security programs that can mitigate your risks in Linux environments, Solaris environments and BSD people already know these, namely Tiger to test for vulnerabilities locally. Samhain to detect any incursions, failing that Snort or Suricata. Use a security enhanced kernel if needs be.

Mac users should come and ask questions at Linux forums for technical details regarding how to mitigate their risks.

As for programs that use cgi scripting use a better password system if possible to lock those down. Remember the exploits only work post authorization. So make authorizing menial tasks take higher permissions at a minimum.

I’ve written two books now about these kinds of scenarios and you can find more details about security enhancing Linux, Mac, Solaris, etc here. Because while this particular bug may be a new discovery, it certainly does help to know what steps to take to improve security throughout your systems and infrastructures.

Special thanks to Troy Hunter for posting his article containing this test snippet:

env X=”() { :;} ; echo busted” /bin/sh -c “echo stuff”

Which when executed in bash should read busted if your bash environment is at risk, but be aware that simply running this in a terminal tells you nothing.  (Well it will echo “stuff”) but that isn’t the goal. The goal is to test it via bash itself and see if the system is at risk. Read more about that here.

Linux will be just fine!


Spread the love

272 thoughts on “Mitigate your Shell Shock risks in environments using bash”

  1. Great write-up, I am regular visitor of one¡¦s blog, maintain up the excellent operate, and It is going to be a regular visitor for a lengthy time.

  2. Very interesting topic , thanks for putting up. “Time flies like an arrow. Fruit flies like a banana.” by Lisa Grossman.

  3. Enjoyed looking at this, very good stuff, thanks . “To be positive To be mistaken at the top of one’s voice.” by Ambrose Bierce.

  4. I loved as much as you’ll receive carried out right here. The sketch is attractive, your authored subject matter stylish. nonetheless, you command get got an impatience over that you wish be delivering the following. unwell unquestionably come further formerly again as exactly the same nearly a lot often inside case you shield this increase.

  5. Excellent read, I just passed this onto a colleague who was doing some research on that. And he just bought me lunch since I found it for him smile Thus let me rephrase that: Thanks for lunch!

  6. Thank you, I’ve just been searching for info approximately this topic for ages and yours is the best I’ve came upon till now. But, what about the bottom line? Are you certain concerning the source?

  7. Excellent post. I surely love your site. Thanks!

  8. I don’t even know how I ended up here, but I thought this post was good. I don’t know who you are but definitely you are going to a famous blogger if you are not already ;) Cheers!

  9. I thank you so much for your time in writing this article.

  10. You actually make it seem so easy with your presentation but I find this matter to be actually something which I think I would never understand. It seems too complicated and extremely broad for me. I’m looking forward for your next post, I’ll try to get the hang of it!

  11. Hello There. I found your blog using msn. This is an extremely well written article. I’ll make sure to bookmark it and come back to read more of your useful information. Thanks for the post. I’ll certainly comeback.

  12. You actually make it seem so easy with your presentation but I to find this topic to be really one thing that I feel I would never understand. It sort of feels too complicated and extremely large for me. I’m taking a look ahead to your next post, I will attempt to get the grasp of it!

  13. I appreciate so much for your great effort in writing this blogpost.

  14. Terrific work! That is the kind of info that should be shared across the web. Disgrace on the search engines for not positioning this put up upper! Come on over and consult with my web site . Thank you =)

  15. I do trust all the ideas you have presented to your post. They’re really convincing and will definitely work. Nonetheless, the posts are too quick for beginners. Could you please prolong them a bit from subsequent time? Thank you for the post.

  16. F*ckin’ awesome things here. I am very glad to peer your article. Thanks so much and i am looking forward to touch you. Will you please drop me a mail?

  17. I’ll right away grasp your rss as I can’t to find your email subscription hyperlink or newsletter service. Do you’ve any? Kindly permit me know in order that I may subscribe. Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *