A critical security vulnerability, dubbed 'Shellshock', in one of the most widely used programs, Bash (Bourne Again Shell) could topple the recent Heartbleed vulnerability as the most severe issue to affect the Internet.
What is Bash?
Bash is a program that is present on millions of devices, and all it does is provide a method for users or other programs to interact with them.
It provides what is known as a shell, that allows users of a device, or programs running on it to issue commands to the operating system and receive responses.
If you are a Windows user, the PowerShell or Command Prompt serve the same purpose. For the OS X users out there, OS X uses Bash, and you can access it yourself via the 'Terminal' application.
How Serious is Shellshock?
Various security companies, along with US-CERT, have labelled Shellshock as the most severe vulnerability to affect devices. US-CERT has given it a score of 10.0.
Simply put, it allows an attacker to execute commands on a vulnerable device by modifying the contents of so-called Environment Variables.
What is an Environment Variable?
An environment variable is a way of storing information that can be accessed by other programs on a system. A typical example of an environment variable you may find on your computer is the PATH variable.
The PATH variable stores a list of directories where your system can find programs/commands to execute - it saves you from having to remember where they are every time you want to use them.
What makes Shellshock so deadly is that there are lots of ways for you to modify environment variables, including via other programs such as a web server.
This means that a system vulnerable to Shellshock could be compromised pretty easily if an attacker placed some code to set or change environment variables in a form on your website, and the server processed the instruction.
How Does Shellshock Work?
In a nutshell, Shellshock is a flaw in how Bash processes environment variables. It exists because Bash allows a user to specify a command after terminating a function definition.
Simply put, in order to exploit a device vulnerable to Shellshock, an attacker would set an environment variable similar to this:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
The first part of this command says that we are defining an environment variable called 'x', which contains an empty function and an 'echo' instruction that prints the word vulnerable to the prompt. We then execute another instance of Bash and tell it to echo 'this is a test'.
If this is run on a device vulnerable to Shellshock, you will get the following output:
vulnerable this is a test
This is because Bash allows users to not only export individual values to environment variables, but also entire functions. However, it should be ignoring the echo instruction that comes after the function definition - it isn't.
This makes it possible for an attacker to trick Bash into executing arbitrary commands by simply overriding existing environment variables that are set or used by web applications, and do so without any authentication checks.
This could enable them to compromise other machines, or extract sensitive data from the affected device.
What Should I Do?
If you use either Linux or Mac OS X, there should be updates to address this vulnerability available already (although there are reports that the fix developed by the developers of Bash is incomplete, and therefore may still lead to your system being vulnerable under certain circumstances).
It is also worth noting that Bash is often included in many consumer electronics devices (broadband routers, TVs, Blu-ray Players, etc.) and therefore security experts, including us, are urging consumers to check with device manufacturers for updates.
If you run your own Linux-based servers, or host websites on servers provided by hosting companies, we advise that you check for and install any updates immediately. If in doubt, contact your hosting provider and seek their advice.