Bash bug in Mac OS X and Linux could be 'bigger than Heartbleed'

Heads up ATS. Any of you who manage your own servers, use Apache, or run Mac OSX or Linux distributions this applies to you.

HACKERS HAVE DISCOVERED an exploit for Unix-based systems that some experts claim could be more serious than the Heartbleed SSL bug uncovered in April.

The bash bug, as implied by its name, is a vulnerability that allows unscrupulous users to take control of Bourne Again Shell (bash), the software used to control the Unix command prompt on some Unix-like systems. This means that systems running Mac OS X and Linux are all potentially susceptible.

"Conservatively, the impact is anywhere from 20 to 50 [percent] of global servers supporting web pages. Specifically, this issue affects web servers using GNU bash to process traffic from the internet. In addition, this bug covers almost all CGI-based web servers, which are generally older systems on the internet."

That's about 500 million potentially vulnerable systems. Security patches are being rolled out today. Be sure to check for upgrades pertaining to your operating system and install them ASAP. It doesn't seem to be reaching into systems that run Linux in the background, like routers. When more info becomes available i'll update the thread.

There's always a run on fresh vulnerabilities to exploit. The blackhats are going to eat this up for a while, so stay secure! Apply that patch as soon as your distro has one for you.

Sauce

a reply to: AnonyMason

The SHELLSHOCK bug. Heres some more details:

"Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time," Graham wrote. "That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed."

The bug was discovered by French software developer Stéphane Chazelas and patched today by Chet Ramey, official maintainer of the Bash shell, whose day job is as a network manager at Case Western Reserve University in Cleveland. The patch fixes Bash 3.0 through 4.3, and links for network administrators to fix the patches can be found on the SecLists mailing-list archive.

Link

Looking around for a patch/OS list. If i can find one I'll put it here.

How to check if you are vulnerable to shell shock.

To determine if a Linux or Unix system is vulnerable, run the following command lines in your linux shell:

env X="() [ :;] ; echo shellshock" /bin/sh -c "echo completed"
env X="() [ :;] ; echo shellshock" `which bash` -c "echo completed"

If you see the word shellshock in the output, your bash shell is vulnerable. The bug is primarily effecting Linux and Unix system bash shells versions 1.14 through 4.3 of GNU.

Patches are available for Redhat, Ubuntu, CentOS, and Debian. Mac is reporting that most users will not be vulnerable but are expected to have an update any way, soon, posibly today. For the linux distros apply updates with you package manager usig: sudo ap-get update, then sudo apt-get upgrade OR su -c 'yum update'.

Stay safe! NIST vuln database has ranked this a 10/10 severity rating so be sure to apply the patch!