And now for Bash to take the spot light…..

shellshock
Well folks – you might as well get used to this happening.  Thanks to the frothing madness of security, the uncontrollable amounts of money dumped into research and development (yet nothing to the actual project we use EVERY..SINGLE…DAY – take a hint), we are going to continue to see this sort of thing happen and get more and more mainstream attention.  Not that I have anything against security – but any day we want to start diverting some money from finding bugs to fixing the projects – I’m all for it…

First – let’s talk about the bug itself.  I’ll let you read the actual NVD listing here.  In a nutshell, the bug allows remote execution of code within the bash shell.  Nothing special, right?  We see this all the time.  The problem itself, in my opinion isn’t the bug but:

  1. The almost blanket use of bash (it’s in EVERYTHING – and I wish that was a understatement)
  2. The poor APPLICATION of code checking
  3. The poor APPLICATION of security

This bug relies on the same thing almost all bugs do – the lack of security and checks in order to execute.  By this I mean, as a very generic example – let’s say you have a public web server accepting code via CGI.  With the right strings, you could pass a command back to the shell, have the shell execute the command and return whatever you passed.  Some ideas that come to mind would be to pass back the contents of logs or perhaps ps or more valuable information….you can use your imagination.

Now, having said that – see my list above.  We can’t do nothing about item 1 – that’s a given.  Even if we could, we would simply be replacing one problem with another (how long before we come up with issues in csh, ksh, etc…).  Number 2 however – that is something we can do something about.  I’m not going to go into it here….but suffice to say it wouldn’t hurt for developers to stop using circa 90’s methods of programming…

And for the rest of us sysadmins/engineers/etc – I bring up number 3 – as this bug has been shown to be stopped by SELinux.  So for us – it wouldn’t hurt for us to stop admin’ing our boxes as if it’s the 90’s…  Either use the security tools we have or patch, Patch, PATCH!

I’ll leave this article with this final thought – Yes, the bash bug/shell shock, heartbleed, and now the SSLv3 bug are issues – BUT, the patches are there, the tools to defend are there and there is NO REASON for these issues to be as rampant as they are.  We will ALWAYS find these sorts of bugs in code, closed or open.  But instead of people crucifying OpenSSL and Bash – maybe they should contribute to the project.  And instead of companies using the products for free and contributing to more and more research by 3rd party companies to FIND issues – maybe, just MAYBE, that money could go to the teams maintaining these tools so they can get the assistance they deserve and improve the products!  Just my 2c…

 

About Matthew

I'm the owner of impromptu-it, an IT engineer and enthusiast!
This entry was posted in security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *