Bash bug could be bigger threat than Heartbleed

A bug in the Bash command prompt software used by many Unix computers could be a greater threat than Heartbleed.

A bug in the Bash software used to control the command prompt in many Unix computers could be a bigger threat than the Heartbleed OpenSSL bug, security experts have warned.

They have urged any organisation running Unix-based computers should install the security update immediately.

Hackers could exploit the flaw in Bash (Bourne Again Shell) to take complete control of a targeted system, prompting the UK Computer Emergency Response Team (CERT-UK) to issue an alert.

According to the alert, the Bash bug affects Unix-based operating systems, including Linux. However, CERT-UK said it is not yet clear whether other Unix-based systems, such as Apple’s Mac OS X, Google’s Android and other embedded systems in internet of things (IoT) devices, are affected.

To test if a system is vulnerable, CERT-UK said users can enter the command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be: vulnerable this is a test

An unaffected (or patched) system will output: bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x'  this is a test

READ MORE ABOUT BASH

Bash bug presents threat to enterprise data 

Security experts say the bug is easier to exploit and is a greater threat than the Heartbleed bug that only allowed attackers to spy on computers, not to take complete control.

This means anyone exploiting the bug could access and potentially manipulate sensitive information on targeted Unix-based machines.

This is of particular concern for enterprises, because a large proportion of enterprise servers are Unix-based.

The US-CERT said a GNU Bash patch is available for experienced users and administrators. Other users are advised to get the necessary security update from software makers such as RedHat.

Updates are also available for CentOS, Debian and Ubuntu, but Apple has yet to make an announcement about an update for OS X. However, a Stack Exchange post describes how Mac users can check for the vulnerability and patch it if necessary.

Security experts have urged companies to seek and patch all vulnerable computers, but have warned that this could take some time for large organisations.

Businesses still reeling from Heartbleed OpenSSL bug

Some organisations have struggled to install security updates for all their systems affected by the Heartbleed bug discovered in April 2014.

The flaw in some versions of the open-source encryption software OpenSSL put the data of millions of organisations at risk.

Anyone exploiting the Bash bug could access and potentially manipulate sensitive information on targeted Unix-based machines

At the time the bug was discovered, affected versions of OpenSSL were believed to have been in use by about two-thirds of all websites.

The discovery of the bug also forced technology companies to issue security patches for hundreds of mainly networking products that use OpenSSL.

Like Heartbleed, the Bash bug affects millions of computers because the bug existed long before it was made public and the Bash software is installed on most Unix-based computers.

Some security experts believe warned that devices connected to the internet of things could be at high risk because their software commonly uses Bash scripts, and is unlikely to be patched.

According to Alan Woodward of the University of Surrey, the Bash bug may represent a much greater threat than Heartbleed.

“What many do not realise is that over 50% of active websites run on a web server called Apache which runs on Unix, and hence is potentially vulnerable.

“As we have just passed the point where there are one billion active websites – that means in excess of 500 million sites could be vulnerable to this security flaw, compared with only 500,000 for the Heartbleed bug,” he said.

Woodward said although software producers are rushing out patches for the main Unix systems affected, this assumes that their owners know about the problem and apply the fix. 

“It also does not reach the many other systems and devices that are potentially affected where Linux runs in the background, nearly always unknown to the owner, such as home Wi-Fi routers,” he said.

If these devices are included, Woodward said the number of potentially vulnerable systems is enormous.

Read more on Hackers and cybercrime prevention

CIO
Security
Networking
Data Center
Data Management
Close