ShellShock - Linux Bash Vulnerability

September 30, 2014

TransNexus software applications are not directly vulnerable to the recently announced "ShellShock" Linux Bash vulnerability, but the CentOS and RedHatLinux operating systems that host TransNexus applications are vulnerable.

Huzaifa Sidhpurwala has an excellent post on the Red Hat Security Blog that explains the vulnerability and potential attacks. In a nutshell:

the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents.

A post on the Redhat Blog provides the following fix.

Before fix

(The following command will generate the response "OOPS"):

[ospadmin@labrat-1 ~]$ env x='() ; echo OOPS' bash -c/bin/true`
OOPS
[ospadmin@labrat-1 ~]$

Fix

(Upgrade bash):

[root@labrat-1 ospadmin]

After

(No "OOPS" response to the following command):
[root@labrat-1 ospadmin]
[root@labrat-1 ospadmin]#

More information is available from CentOS security announcement: http://lists.centos.org/pipermail/centos-announce/2014-September/020585.html