A really bad remote code execution bug surfaced yesterday, in Bash–the GNU replacement for the Unix shell. If you have a webserver running, or possibly just SSH, it can be used to execute arbitrary code. It affects anything Unixy–Linux, BSD, Mac OS X, and likely many proprietary Unix flavors, since many of them have adopted the GNU toolchain.
This could be really bad. Some people are calling it potentially worse than Heartbleed. Maybe. I’m thinking it’s more along the lines of MS08-067. But there’s an important lesson we must learn from this.
There’s no reason this has to be a disaster. The patches came out the same day the vulnerability was announced. It took all of fifteen seconds for me to patch this particular server. No reboot necessary. Just apt-get update and apt-get upgrade and done, since I run Debian.
This is the kind of thing we must get good at fixing fast. By the end of the week, there’s no reason for any company to have a server vulnerable to this on its network.
If your Unix patch repositories are up to date–there’s no reason not to update them at least monthly, unless you like being worse than Microsoft–then it’s a one-liner to do the upgrade. If you have large numbers of servers to manage, this is exactly the reason to get management infrastructure in place like cfengine if you don’t have it. Or just buy a solution like Blade Logic if you don’t have the chops to manage cfengine.
This is the kind of problem that has all the makings of a crisis, but there will be companies who will be able to push this update in a matter of minutes and just keep right on rolling like it’s any other day.
Anyone who can’t push this update in minutes needs to figure out why and correct it now. Because there will be another bug like this one, and the public is paying attention these days.
We had an excuse with Heartbleed–so many of the boxes that ran it were appliances. In this case, appliances are vulnerable but so is every run-of-the-mill Unixy box in your datacenter and under Tom, Dick, and Harry’s desks.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
And home routers, if they are running bash. That is the scary vector. I haven’t seen any numbers for this yet, but it could be big (which is all part of the FUD, of course).
For once, most consumer routers ought to be OK, since the majority of them use Busybox to provide their shell, as well as most of the rest of their userland.
Enterprise-grade appliances will be another story, though.