A vulnerability has been found in the Bash Unix shell. The vulnerability arises from a bug in the way that Bash processes environment variables. If an attacker is able to pass environment variable content to a network service that calls bash, they may be able to achieve arbitrary remote code execution on the target system.
This has potentially severe implications for any network service that runs bash as an interpreter.
- CGI scripts on web servers can be leveraged to achieve remote code execution through HTTP requests.
- Systems running SSH may also be vulnerable. By leveraging AcceptEnv, TERM or SSH_ORIGINAL_COMMAND environment variables, remote code execution may be achieved on affected systems.
- Other network services may also be impacted (e.g. SMTP servers)
This has widespread severe security implications, as potentially any Linux/Unix system can be compromised remotely.
WHAT CAN YOU DO:
- Upgrade bash on all Linux/Unix systems immediately
- Temporarily firewall any Internet-facing SSH servers or web servers running shell-based CGI scripts until the bash patch can be applied.
- For appliances, software appliances and embedded systems, contact the vendor to seek advice about patching.
- Cry softly into your pillow
- Run away from your job
- Hit the pub.
More to follow…