The Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) has issued a warning about a vulnerability affecting Unix-based operating systems.
The vulnerability, dubbed Shellshock, was discovered in the Bourne-Again Shell, also known as Bash. Bash is a popular Linux and Unix shell, and according to security researchers, the newly revealed bug could pose a bigger threat than the dreaded Heartbleed bug that surfaced in April.
“Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed,” wrote Robert Graham, owner of Errata Security, on his company’s blog.
(Related: Tech giants unite to fight Heartbleed)
The problem is that Bash is the default shell in Mac OS X and numerous Linux machines, which means it’s also used in many Web servers. The vulnerability is related to how Bash processes environment variables, and an attacker could use the flaw to execute shell commands and write any code they want as soon as the shell starts running.
Recommendations for addressing the bug include replacing Bash with an alternate shell, limiting access to vulnerable services, and filtering inputs to vulnerable services, according to Akamai Technologies.
CentOS, Debian, Red Hat and Ubuntu have already provided updates to their operating systems and issued security advisories.
“This issue affects all software that uses the Bash shell and parses values of environment variable,” according to Red Hat. “This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.”
Additional information about the bug is available here.