‘Bash’ Bug Security Vulnerability
A security vulnerability affecting GNU Bash (CVE-2014-6271) has been announced.
A bug discovered in Bash Shell, a command-line interface used by Linux and Unix, could leave web servers, systems and embedded devices such as routers vulnerable to cyber-attacks. The vulnerability has been labeled CVE-2014-6271. More detailed information can be found at: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169. A summary can be found below.
What’s exactly is the bug?
From the CVE release from NIST vulnerability database:
“GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.”
Why is this vulnerability so dangerous?
Red Hat’s security team explains this:
“This issue affects all products which use the Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.”
How is HostMySite protecting me?
Our advanced team of Platform Administrators have gone through and updated all of our systems. This patch did require that your server be restarted after it was applied. As always, we usually perform server updates and maintenance during our daily 2am – 6am maintenance window, however, due to the severity of this issue, we wanted to ensure that your data on our servers was protected
Still have a question?
Should you have any additional questions regarding this Security Vulnerability, please do not hesitate to reach out to our Support Team.