A bug discovered in Bash Shell, a command-line interface used by Linux and Unix, could leave web servers, systems and embedded devices such as routers vulnerable to cyber-attacks. Cyber-criminals are getting ready to launch multiple attacks, and Bitdefender warns users and sys admins to be cautious with the vulnerability.
Although code allowing the exploit of Bash-using CGI scripts is already available on Pastebin, hackers have to work hard to find exploitable scripts, Bitdefender specialists said.
“The impact might be severe, but this is rather a ‘mini- Heartbleed,’ as exploitation is possible in certain scenarios only on Linux and Unix systems,” Bitdefender Senior E-Threat Specialist Bogdan Botezatu said.
“Hackers should first dig for vulnerable CGI scripts calling #!/bin/bash on the targeted server to be capable to pass environment variables whereas, in Heartbleed’s case, they interacted more easily with the server.” Network-based exploitation is also possible, but it is limited to specific scenarios.”
The CVE-2014-6271 Remote Code Execution through Bash was discovered on the September 24 by Unix/Linux and Telecom Specialist Stephane Chazelas and is related to how environment variables are processed.
“Trailing code in function definitions was executed, independent of the variable name,” the flaw’s description on SecLists reads. “In many common configurations, this vulnerability is exploitable over the network.”
The National Institute of Standards and Technology rated the flaw 10 out of 10 in terms of severity. Exploits of the Bash flaw allow unauthorized disclosure of information, unauthorized modifications and even the disruption of services, according to NIST.
The vulnerability is targeting Bash versions starting with the 4.3 release, and also affects Apache web servers, as Bash-based CGI scripts can be attacked through remote-code injection.
GNU Bash Upstream Maintainer Chet Ramey will allegedly release official upstream patches.
At the beginning of the year, another damaging flaw was discovered with the OpenSSL libraries. The Heartbleed vulnerability allowed attackers to enter even a secure site to steal sensitive information.