Wednesday, September 24, 2014

Bad bash, no cookie

 There's a very nasty vulnerability that's been discovered in bash, a command processor (it can be compared to DOS in Windows) that's included in most Linux and Unix systems including Apple's OS X.  Ubuntu and other Debian-derived systems typically use Dash, and unless bash has been installed they are exempt from this vulnerability.

Bash is a command processor, allowing the user to type commands which cause actions on the server. As such, in the wrong hands it can be disastrous, which is why this particular vulnerability is very serious.

The NIST vulnerability database rates the flaw 10 out of 10 in terms of severity. Jim Reavis, chief exec of the Cloud Security Alliance, claims the hole is comparable in seriousness to the infamous password-leaking Heartbleed bug in the OpenSSL library that was uncovered earlier this year. This vulnerability also affects Apple's OS X – and is useful for privilege escalation.

The good news is, at least for Linux servers, is that a patch/update to bash was released earlier today, and it's a very simple fix. By "very simple" I mean it took less than 5 minutes to accomplish, so there is no reason for any hosting server admin to not apply this fix. OS X users  may have a harder time patching your system.

But if you're one of our hosting customers... we've got you covered.