A remotely exploitable vulnerability in Linux has been found and it could be really nasty for those who depend on the operating system.
Stephane Chazelas, who found the vulnerability, has named it CVE-2014-6271, but has been dubbed Shellshock by those who like their viruses to be a little more like a Marvell super-villain.
The flaw is in Bash, which supports exporting shell variables as well as shell functions to other bash instances. It has been a feature of Linux for a long time.
Web applications like cgi-scripts may be vulnerable especially if calling other applications through a shell, or evaluating sections of code through a shell.
The problem is fixed by upgrading to a new version of bash, replacing bash with an alternate shell, limiting access to vulnerable services, or filtering inputs to vulnerable services.
However it could be a while before word gets out that bash is vulnerable and a lot of Linux systems are vulnerable.
Security experts say that this vulnerability is very bad and it will be a race to get systems upgraded before someone has a working exploit.
Tod Beardsley, engineering manager from Rapid7, said it was difficult to write a “bash bug” exploit, but not impossible.
“It’s quite common for embedded devices with web-enabled front-ends to shuttle user input back and forth via bash shells, for example — routers, SCADA/ICS devices, medical equipment, and all sorts of webified gadgets are likely to be exposed,” he said.
