Bash is the basic shell of UNIX, a language that is used on many platforms: from different web hosting servers to modems, toys, etc. If you are a Windows user, you need not fear ShellShock vulnerability as the chances of your being affected are near nil. But if you have been visiting websites that host themselves on UNIX servers, or use goods that employ UNIX for functioning, you may fall prey to malware or something similar that might harm you in some way. This article tries to explain Bash Vulnerability or ShellShock as it is called, in layman’s terms.
What is BASH
UNIX is basically a command-line operating system. Though there are many variations that offer GUI (Graphical User Interface), the base of such interfaces is the Command Line Interface (CLI) of UNIX. And UNIX is everywhere from web hosting servers to the “things” in the Internet Of Things. There are objects like a connected microwave that communicates in UNIX rather than using any other operating system as UNIX is easier to install and is considered safer (that is, until the Bash Vulnerability appeared).
UNIX is also a lightweight operating system and has literally hundreds of commands that it deals with, to produce proper output – whether working directly on the Command Line Interface or on a GUI that is based on the Command Line Interface.
Coming to BASH, it is an inseparable part of UNIX: It is the shell of UNIX. I mean to say that it is that part of UNIX that takes in commands and processes them to provide you with the desired output irrespective of whether that command was given directly by a user or was sent to the shell using some sort of GUI.
ShellShock or Bash Vulnerability
This section talks about exactly is the vulnerability in UNIX that has the industry feel threatened. Normally, on a command line, there are many things that happen. For example, values of different parameters are passed that are processed by the computer without checking the source of values. Each command has a command name, switches and command parameters. Like for example, in MS-DOS Type command, you have the command syntax as:
Type filename.txt /p [>textfile.txt|print]
Here, the filename.txt and textfile.txt are parameters that define which file to view or print. Or to store output into textfile.txt. Commands are similar in UNIX in a manner that they too have parameters and UNIX does not care where the parameters come from as long as the syntax is correct. The same applies to any command-line interface program and operating system.
Now, coming to the vulnerability, malicious users can pass malicious parameters to any UNIX command with an intention to exploit this weakness of the command line operating system. The malicious users can pass off devastating things as commands or as command parameters without UNIX knowing that it is about to destroy the computer it is working on.
Some experts say the values of environmental variables can also affect computers. Environmental variables are values that are used by the operating systems to perform specific tasks, much like the commands but the values here are global and not specific to a command.
Being a part of the very shell, the vulnerability is also known as Shellshock and is hard to deal with. I am not sure how the different companies using UNIX are to address this vulnerability as it is based on huge weaknesses. It will take a great deal of thinking and probably scanning each command (that might slow down systems).
ShellShock Vulnerability Scanner
Run this on-demand scanner from TrendMicro on your Linux systems to determine if the BashLite malware is resident. Scan your website to assess whether it is vulnerable to the ShellShock or the Bash vulnerability.
Patches for Bash Vulnerability
The National Vulnerability Database lists some patches that might help UNIX users to some extent, but I suppose that does not do away all the problems associated with the Bash Vulnerability. This has to be worked upon by the experts in the fields of UNIX programming and it might take some time before a proper fix is issued to patch up the vulnerability forever. Till then, computers and automated devices using UNIX will still be at risk and might pose risk to other devices and computers connected to them.
I’ll kick this off to a start. I use Linux for my home production systems. On about September 22 news was released about ShellShock. In just over 24 hours I received an update that ‘hardened’ the vulnerability. That didn’t fix the problem but sealed it from access. In several following updates different parts of the problem were fixed. As it stands now, only those Linux systems that haven’t had patches applied are at risk. Linux desktop users such as myself who watch and apply updates are out of the woods. Web servers using Linux must have the patches applied also to be safe, but there’s no way for a web surfer to know what servers have been fixed or not. All it takes is for some lax behavior from any server masters and ShellShock is just as real and active as ever. Linux is used on most modems, routers, mobile devices, smart TVs and other equipment. It’s up to the software suppliers of these units to apply any patches needed in updates for consumers. But the question here is, how much affect can ShellShock have these units? Has your modem or router or whatever been updated? How can you tell? Is it important?
Now for those on the Mac end. Mac is also a Unix base. There are very few Mac servers in active use and Apple has released some patches too. There is quite a discussion as to whether ShellShock on Mac will have much of an affect. To that, I say again, all it takes is for a surfer to visit just one unpatched Mac server.
I have to question the knowledge of anyone who says that since this is a Linux/Unix problem it won’t affect Microsoft units. If the BASH shell can be compromised on a server, any code or script can conceivably be created. Many such bits can be launched at Microsoft systems.
I’m protected on my Linux desktops through default protections on all my system files from attack and through my firewall, and since the patches there’s no possibility of anyone using the ShellShock problem on my systems. Even if I visit an unpatched server I don’t have a worry. Microsoft users, on the other hand …