Content deleted Content added
m Dating maintenance tags: {{Clarify-span}} |
Baltakatei (talk | contribs) Address {{clarify}} tag, clarify mailing list names, remove original research about Wheeler intentions. |
||
Line 18:
'''Shellshock''', also known as '''Bashdoor''',<ref name="NYT-20140925-NP">{{cite news |last=Perlroth |first=Nicole |title=Security Experts Expect 'Shellshock' Software Bug in Bash to Be Significant |url=https://www.nytimes.com/2014/09/26/technology/security-experts-expect-shellshock-software-bug-to-be-significant.html |date=25 September 2014 |work=[[New York Times]] |access-date=25 September 2014 }}</ref> is a family of [[security bug]]s<ref name="TSM-20140927">Although described in some sources as a "virus," Shellshock is instead a design flaw in a program that comes with some operating systems. See => {{cite web |author=Staff |title=What does the "Shellshock" bug affect? |url= http://www.thesafemac.com/what-does-the-shellshock-bug-affect/|date=25 September 2014 |work=The Safe Mac |access-date=27 September 2014 }}</ref> in the [[Unix]] [[Bash (Unix shell)|Bash]] [[shell (computing)|shell]], the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to [[arbitrary code execution|execute arbitrary command]]s and gain unauthorized access<ref name="ZDN-20140929">{{cite web |last=Seltzer |first=Larry |title=Shellshock makes Heartbleed look insignificant |url=http://www.zdnet.com/shellshock-makes-heartbleed-look-insignificant-7000034143/ |date=29 September 2014 |work=[[ZDNet]] |access-date=29 September 2014 }}</ref> to many Internet-facing services, such as web servers, that use Bash to process requests.
On 12 September 2014, Stéphane Chazelas informed Bash's maintainer Chet Ramey<ref name="NYT-20140925-NP" /> of his discovery of the original bug, which he called "Bashdoor". Working with security experts,
The bug Chazelas discovered caused Bash to unintentionally execute commands when the commands are concatenated to the end of [[subroutine|function definitions]] stored in the values of [[environment variable]]s.<ref name="NYT-20140925-NP" /><ref name="TR-20140924">{{cite web |last=Leyden |first=John |title=Patch Bash NOW: 'Shell Shock' bug blasts OS X, Linux systems wide open |url=https://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ |work=[[The Register]] |date=24 September 2014 |access-date=25 September 2014}}</ref> Within days of its publication, a variety of related vulnerabilities were discovered (''{{CVE|2014-6277|2014-6278|2014-7169|2014-7186|2014-7187|leadout=and}}''). Ramey addressed these with a series of further patches.<ref name="ITN-20140929"/><ref name="zdnet-betterbash"/>
Line 58:
The maintainer of Bash was warned about the first discovery of the bug on 2014-09-12; a fix followed soon.<ref name="NYT-20140925-NP" /> A few companies and distributors were informed before the matter was publicly disclosed on 2014-09-24 with CVE identifier {{CVE|2014-6271}}.<ref name="seclist-q3-650" /><ref name="seclist-q3-666" /> However, after the release of the patch there were subsequent reports of different, yet related vulnerabilities.<ref name="wheeler-summary">{{cite web | url=http://www.dwheeler.com/essays/shellshock.html | title=Shellshock | date=13 February 2015 | access-date=17 September 2016}}</ref>
On 26 September 2014, two open-source contributors, David A. Wheeler and Norihiro Tanaka, noted that there were additional issues, even after patching systems using the most recently available patches. In an email addressed to the oss-sec
On 27 September 2014, [[Michał Zalewski]] from [[Google Inc.]] announced his discovery of other Bash vulnerabilities,<ref name="ITN-20140929">{{cite web |last=Saarinen |first=Juha |title=Further flaws render Shellshock patch ineffective |url=http://www.itnews.com.au/News/396256,further-flaws-render-shellshock-patch-ineffective.aspx |date=29 September 2014 |work=iTnews |access-date=29 September 2014 }}</ref> one based upon the fact that Bash is typically compiled without [[address space layout randomization]].<ref name="HH-20140928">{{cite web |author=Staff |title=Shellshock, Part 3: Three more security problems in Bash (in german) |url=http://www.heise.de/security/meldung/ShellShock-Teil-3-Noch-drei-Sicherheitsprobleme-bei-der-Bash-2404788.html |date=28 September 2014 |work=[[Heise Online]] |access-date=28 September 2014 }}</ref> On 1 October, Zalewski released details of the final bugs and confirmed that a patch by Florian Weimer from [[Red Hat]] posted on 25 September does indeed prevent them. He has done that using a [[fuzzing]] technique with the aid of software utility known as ''[[american fuzzy lop (fuzzer)|american fuzzy lop]]''.<ref name="lcamtuf-oct-1">{{cite web | url=http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html | title=Bash bug: the other two RCEs, or how we chipped away at the original fix (CVE-2014-6277 and '78) | work=lcamtuf blog | date=1 October 2014 | access-date=8 October 2014}}</ref>
| |||