Sikkerhedshul i Bash

Hvis man har et Linux device med Bash installeret (og hvem har ikke Bash installeret på deres Linux device?), så er det på tide at få patched den. Det sammen gælder jeres Unix servere.

Det viser sig at der er et alvorligt sikkerhedshul:

[T]he vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents. As a result, this vulnerability is exposed in many contexts, for example:

  • ForceCommand is used in sshd configs to provide limited command execution capabilities for remote users. This flaw can be used to bypass that and provide arbitrary command execution. Some Git and Subversion deployments use such restricted shells. Regular use of OpenSSH is not affected because users already have shell access.
  • Apache server using mod_cgi or mod_cgid are affected if CGI scripts are either written in bash, or spawn subshells. Such subshells are implicitly used by system/popen in C, by os.system/os.popen in Python, system/exec in PHP (when run in CGI mode), and open/system in Perl if a shell is used (which depends on the command string).
  • PHP scripts executed with mod_php are not affected even if they spawn subshells.
  • DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine.
  • Various daemons and SUID/privileged programs may execute shell scripts with environment variable values set / influenced by the user, which would allow for arbitrary commands to be run.
  • Any other application which is hooked onto a shell or runs a shell script as using bash as the interpreter. Shell scripts which do not export variables are not vulnerable to this issue, even if they process untrusted content and store it in (unexported) shell variables and open subshells.

Like “real” programming languages, Bash has functions, though in a somewhat limited implementation, and it is possible to put these bash functions into environment variables. This flaw is triggered when extra code is added to the end of these function definitions (inside the enivronment variable).

Man kan læse mere om det på Redhat’s sikkerhedsblog og på zdnet.

Selv om det formodentligt kræver andre sikkerhedshuller i infrastrukturen før man kan udnytte Bash sikkerhedshullet på de fleste servere, bør man sørge for at få lukket det af med det samme, da man jo aldrig kan være sikker på at der ikke er sådanne sikkerhedshuller. Det samme gælder naturligvis for computere og andre devices med Linux som man har liggende.

Netop det faktum at der er mange devices som benytter Linux og Bash, får nogle til at mene at sikkerheds risikoen ved dette sikkerhedshul er mindst lige så stort som ved Heartbleed.

Share Button
The following two tabs change content below.
Profile photo of Kristjan Wager

Kristjan Wager

Konsulent med fokus på offentlige og finansielle kunder. Alle udsagn på denne blog står for egen regning, og min arbejdsgiver og kunder kan på ingen måde tages til indtægt for dem.

Flattr this!

Skriv et svar

Din e-mailadresse vil ikke blive publiceret. Krævede felter er markeret med *