On Wednesday, September 24, 2014, security experts discovered a serious vulnerability (some have dubbed Shellshock or Bash Bug) in Bash, which is a shell or command-line interpreter for Unix and Unix-like computer operating systems. Interestingly, this vulnerability has been around for over 25 years! Shell programs or scripts are commonly used to combine different commands to automate routine operations within and across computers and networks. Unix and Unix-like (you may have heard of Linux or names like Red Hat, Ubuntu, Debian, OS X) are very widely used computer operating systems, especially on servers and network devices running behind the scenes.
So what’s the problem? The problem is that an attacker can exploit the reported vulnerability to remotely execute arbitrary code on all kinds of systems, including web servers, network devices, servers, Macs, etc. Moreover, the vulnerability allows the attacker to replicate his exploit across computers.
Here are the details. The problem is related to environment variables, which are named values outside of programs that can affect the way those programs will run on a computer. They are often used as a way to configure programs to run a certain way. A shell program, for example, might look at an environment variable to find the location of a file, a network port number, the system’s locale, etc. An attacker can create specially-formatted environment variables with values that contain malicious code, and the reported vulnerability executes this code as soon as a shell is invoked. The vulnerability essentially allows the attacker to hijack a shell or shell script to execute commands remotely (often bypassing normal restrictions on the remote machine) to do whatever. This type of attack is often referred to as code injection.
The vulnerability is officially known as CVE-2014-6271.
As always, we take safeguarding your information very seriously at HelloWallet. Know that we are always thinking about it!
Update 9/29: We have also patched for CVE-2014-7169.