Content deleted Content added
fixing dupe reference(s) with reFill 2 |
updating cites |
||
Line 18:
'''Shellshock''', also known as '''Bashdoor''',<ref name="NYT-20140925-NP">{{cite news |last=Perlroth |first=Nicole |title=Security Experts Expect 'Shellshock' Software Bug in Bash to Be Significant |url=https://www.nytimes.com/2014/09/26/technology/security-experts-expect-shellshock-software-bug-to-be-significant.html |date=25 September 2014 |work=[[New York Times]] |access-date=25 September 2014 }}</ref> is a family of [[security bug]]s<ref name="TSM-20140927">Although described in some sources as a "virus," Shellshock is instead a design flaw in a program that comes with some operating systems. See => {{cite web |author=Staff |title=What does the "Shellshock" bug affect? |url= http://www.thesafemac.com/what-does-the-shellshock-bug-affect/|date=25 September 2014 |work=The Safe Mac |access-date=27 September 2014 }}</ref> in the [[Unix]] [[Bash (Unix shell)|Bash]] [[shell (computing)|shell]], the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to [[arbitrary code execution|execute arbitrary command]]s and gain unauthorized access<ref name="ZDN-20140929">{{cite web |last=Seltzer |first=Larry |title=Shellshock makes Heartbleed look insignificant |url=http://www.zdnet.com/shellshock-makes-heartbleed-look-insignificant-7000034143/ |date=29 September 2014 |work=[[ZDNet]] |access-date=29 September 2014 }}</ref> to many Internet-facing services, such as web servers, that use Bash to process requests.
On 12 September 2014, Stéphane Chazelas informed Bash's maintainer Chet Ramey<ref name="NYT-20140925-NP" /> of his discovery of the original bug, which he called "Bashdoor". Working with security experts, Mr. Chazelas developed a [[Patch (computing)|patch]]<ref name="NYT-20140925-NP" /> (fix) for the issue, which by then had been assigned the vulnerability identifier ''{{CVE|2014-6271}}''.<ref name="seclist-q3-650">{{cite
The bug Chazelas discovered caused Bash to unintentionally execute commands when the commands are concatenated to the end of [[subroutine|function definitions]] stored in the values of [[environment variable]]s.<ref name="NYT-20140925-NP" /><ref name="TR-20140924">{{cite web |last=Leyden |first=John |title=Patch Bash NOW: 'Shell Shock' bug blasts OS X, Linux systems wide open |url=https://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ |work=[[The Register]] |date=24 September 2014 |access-date=25 September 2014}}</ref> Within days of its publication, a variety of related vulnerabilities were discovered (''{{CVE|2014-6277|2014-6278|2014-7169|2014-7186|2014-7187|leadout=and}}''). Ramey addressed these with a series of further patches.<ref name="ITN-20140929"/><ref name="zdnet-betterbash"/>
Line 46:
: Security documentation for the widely used [[Apache HTTP Server|Apache]] web server states: "CGI scripts can ... be extremely dangerous if they are not carefully checked,"<ref>{{cite web|url=http://httpd.apache.org/docs/2.2/misc/security_tips.html|title=Apache HTTP Server 2.2 Documentation: Security Tips|access-date=2 October 2014}}</ref> and other methods of handling web server requests are typically used instead. There are a number of online services which attempt to test the vulnerability against web servers exposed to the Internet.{{citation needed|date=September 2014}}
; OpenSSH server
: [[OpenSSH]] has a "ForceCommand" feature, where a fixed command is executed when the user logs in, instead of just running an unrestricted command shell. The fixed command is executed even if the user specified that another command should be run; in that case the original command is put into the environment variable "SSH_ORIGINAL_COMMAND". When the forced command is run in a Bash shell (if the user's shell is set to Bash), the Bash shell will parse the SSH_ORIGINAL_COMMAND environment variable on start-up, and run the commands embedded in it. The user has used their restricted shell access to gain unrestricted shell access, using the Shellshock bug.<ref name="qualys">{{cite web|url=https://blog.qualys.com/laws-of-vulnerabilities/2014/09/24/bash-shellshock-vulnerability|title=The Laws of Vulnerabilities|publisher=Qualys.com|author=Wolfgang Kandek|date=24 September 2014|access-date=26 September 2014
; DHCP clients
: Some [[Dynamic Host Configuration Protocol|DHCP]] clients can also pass commands to Bash; a vulnerable system could be attacked when connecting to an open Wi-Fi network. A DHCP client typically requests and gets an IP address from a DHCP server, but it can also be provided a series of additional options. A malicious DHCP server could provide, in one of these options, a string crafted to execute code on a vulnerable workstation or laptop.<ref name="mit-tech"/>
; Qmail server
: When using Bash to process email messages (e.g. through .forward or qmail-alias piping), the [[qmail]] mail server passes external input through in a way that can exploit a vulnerable version of Bash.<ref>
; IBM HMC restricted shell
: The bug can be exploited to gain access to Bash from the [[restricted shell]] of the [[IBM Hardware Management Console]],<ref>{{cite web |url=https://www.ibm.com/developerworks/community/blogs/brian/resource/BLOGS_UPLOADED_IMAGES/shellshock.png |title=IBM HMC is a vector for CVE-2014-6271 (bash "shellshock") |archive-url=https://web.archive.org/web/20200119235509/https://www.ibm.com/developerworks/community/blogs/brian/resource/BLOGS_UPLOADED_IMAGES/shellshock.png |archive-date=2020-01-19}}</ref> a tiny Linux variant for system administrators. IBM released a patch to resolve this.<ref name="ibm-hmc">{{cite web |url=https://www-304.ibm.com/support/docview.wss?uid=ssg1S1004879 | title=Security Bulletin: Vulnerabilities in Bash affect DS8000 HMC (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278) | publisher=IBM | date=3 October 2014 | access-date=2 November 2014}}</ref>
| |||