Bash Bug May Be Worse Than Heartbleed

Though only disclosed this morning, proof-of-concept exploits are already available for a critical remote code execution vulnerability security experts say is more widespread than Heartbleed.

CVE-2014-6271, a vulnerability in the command shell Bash, affects many Linux- and UNIX-based systems. Although no exploits have yet been seen in the wild, the pervasiveness and ease of exploit have earned it a CVSS score of 10.

The bug makes remote code execution possible, even though Bash itself does not handle data from remote users. As Jim Reavis of Cloud Security Alliance wrote today:

Bash is a local shell, it doesn’t handle data supplied from remote users, sono big deal right? Wrong.

A large number of programs on Linux and other UNIX systems use Bash to setup environmental variables which are then used while executing other programs...

In short this vulnerability allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird mime types for example.

Like Heartbleed, the bug may affect a broad swath of systems -- including Apache servers, web servers running CGI scripts, and embedded systems in everything from control systems to medical devices to digital cameras.

Also like Heartbleed, patching every system that uses Bash is going to be difficult. As Robert Graham of Errata Security wrote:

...while the known systems (like your web-server) are patched, unknown systems remain unpatched. We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable. These systems are rarely things like webservers, but are more often things like Internet-enabled cameras.

Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.

Rapid7 representatives say that they are working on a Metasploit module to exploit the bug; they expect a first version to be available later today.

Meanwhile, Huzaifa Sidhpurwala of Red Hat released a very simple proof-of-concept exploit of this vulnerability that only requires one line of code.

Dave Kennedy, CEO of TrustSec, says that the proof-of-concept is very simple and would blend in with normal activity more smoothly than most malware.

"You should see it in your logs, if you're looking for it," says Kennedy, "but that's about it."

The good news is that patches are already available. Reavis doubts that the patch would cause any performance problems for the applications that use Bash, but some administrators might decide to put up a web application firewall first, then patch when they can.

Kennedy does not believe that the bug is as bad as Heartbleed "yet," but nevertheless he advises you put aside your usual patch testing processes and simply "patch right now."