Security researchers have discovered and patched a 22-year-old bug in the bash shell, the ubiquitous Linux and Unix command-line interpreter.
See also: Don’t Fear The Command Line
The vulnerability dates back to bash version 1.13 and extends all the way to the most recent version 4.3. It exploits the way bash handles environment variables. Hackers can tack on code to function definitions within these variables, which the bash shell will then wrongly interpret and execute as commands once it’s invoked.
Since bash is the default shell for many Linux and Unix systems, you can imagine the havoc hackers could wreak with the “Shellshock bug.” Since this bug could allow malicious types to remotely execute code, it could theoretically let a hacker seize control of a server from afar.
See also: 7 Heartbleed Myths Debunked
However, much in the same way that we can’t tell if anybody exploited the Heartbleed bug, it’s too soon to tell if anybody has taken advantage of Shellshock. Update: security researcher Yinette has just found evidence of the first attacks made using the bug.
However, now that there’s a patch for Bash up to its latest version 4.3, they won’t be able to—at least on patched systems.
Do you need to patch your version of Bash? Red Hat provided a test you can implement. To check your system, type the following into the command line:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If it returns the text “this is a test,” your system is vulnerable.
If it returns this instead, though, you’re all set:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Photo by Steven Tom
