Monthly Archives: September 2014

Alibaba, the e-commerce giant on 60 Minutes Tonight
CBS-Alibaba-TeamPlease tune in tonight, Sept. 28 for 60 Minutes and meet Jack Ma, the charismatic founder of Alibaba, the e-commerce giant that just issued the biggest public offering of its stock in Wall Street history.  When I first met him a year and a half ago, I was immediately struck by the notion that Ma is a giant in a small frame, as you can see from our joint photo with his Alibaba team.  And yes, that’s my son Daniel on the right, who joined my 60 Minutes team while we were in China to work as a translator, fixer and  as my personal shlepper.  Never had such a qualified or attentive aide-de-camp.   The correspondent is Lara Logan.
Howard L Rosenberg
Producer, 60 Minutes
CBS News
2020 M St. NW
Washington, DC 20036
Alert From the US Computer Emergency Readiness Team

Alert (TA14-268A)
GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169)

Systems Affected

  • GNU Bash through 4.3.
  • Linux, BSD, and UNIX distributions including but not limited to:

Overview

A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system [1](link is external). The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability.

Description

GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. [2, 3]

Critical instances where the vulnerability may be exposed include: [4(link is external), 5(link is external)]

  • Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn subshells.
  • Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities.
  • Allow arbitrary commands to run on a DHCP client machine, various Daemons and SUID/privileged programs.
  • Exploit servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

Impact

This vulnerability is classified by industry standards as “High” impact with CVSS Impact Subscore 10 and “Low” on complexity, which means it takes little skill to perform. This flaw allows attackers to provide specially crafted environment variables containing arbitrary commands that can be executed on vulnerable systems. It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways.

Solution

Patches have been released to fix this vulnerability by major Linux vendors for affected versions. Solutions for CVE-2014-6271 do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-7169.

Many UNIX-like operating systems, including Linux distributions, BSD variants, and Apple Mac OS X include Bash and are likely to be affected. Contact your vendor for updated information. A list of vendors can be found in CERT Vulnerability Note VU#252743 [6].

US-CERT recommends system administrators review the vendor patches and the NIST Vulnerability Summary for CVE-2014-7169, to mitigate damage caused by the exploit.

References

Revisions

  • September 25, 2014 – Initial Release