1 min read

Linux, OS X Users May Be Vulnerable to Bash Flaw Exploit

Bianca STANESCU

September 25, 2014

Linux, OS X Users May Be Vulnerable to Bash Flaw Exploit

A bug discovered in Bash Shell, a command-line interface used by Linux and Unix, could leave web servers, systems and embedded devices such as routers vulnerable to cyber-attacks. Cyber-criminals are getting ready to launch multiple attacks, and Bitdefender warns users and sys admins to be cautious with the vulnerability.

Although code allowing the exploit of Bash-using CGI scripts is already available on Pastebin, hackers have to work hard to find exploitable scripts, Bitdefender specialists said.

“The impact might be severe, but this is rather a ‘mini- Heartbleed,’ as exploitation is possible in certain scenarios only on Linux and Unix systems,” Bitdefender Senior E-Threat Specialist Bogdan Botezatu said.

“Hackers should first dig for vulnerable CGI scripts calling #!/bin/bash on the targeted server to be capable to pass environment variables whereas, in Heartbleed’s case, they interacted more easily with the server.” Network-based exploitation is also possible, but it is limited to specific scenarios.”

The CVE-2014-6271 Remote Code Execution through Bash was discovered on the September 24 by Unix/Linux and Telecom Specialist Stephane Chazelas and is related to how environment variables are processed.

“Trailing code in function definitions was executed, independent of the variable name,” the flaw’s description on SecLists reads. “In many common configurations, this vulnerability is exploitable over the network.”

The National Institute of Standards and Technology rated the flaw 10 out of 10 in terms of severity. Exploits of the Bash flaw allow unauthorized disclosure of information, unauthorized modifications and even the disruption of services, according to NIST.

The vulnerability is targeting Bash versions starting with the 4.3 release, and also affects Apache web servers, as Bash-based CGI scripts can be attacked through remote-code injection.

GNU Bash Upstream Maintainer Chet Ramey will allegedly release official upstream patches.

At the beginning of the year, another damaging flaw was discovered with the OpenSSL libraries. The Heartbleed vulnerability allowed attackers to enter even a secure site to steal sensitive information.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

FBI Warns that Tokyo 2020 Summer Olympics Is Prime Target for Cyberattacks FBI Warns that Tokyo 2020 Summer Olympics Is Prime Target for Cyberattacks
Silviu STAHIE

July 27, 2021

1 min read
Patch your iPhones and Macs against "actively exploited" zero-day right now Patch your iPhones and Macs against "actively exploited" zero-day right now
Graham CLULEY

July 27, 2021

2 min read
Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read