Friday, September 26, 2014

Shellshock, We're Really Calling It That?

This week was rough with the security vulnerabilities in GNU bash.  The what?  I'm talking about computer software, so if you don't care about that there is no need to keep reading.

What is GNU bash?

If you have ever watched me use a computer or any nerdy type person use a computer, you might see them frantically typing away and entering commands as the screen scrolls information by.  Us nerdy types prefer a command line user interface as opposed to a graphical user interface.  Words instead of pictures.  A command line interface lets us directly tell the computer what to do.  We find graphical user interfaces tedious and time consuming.  That said, both interfaces have their place in the computer world.

GNU bash is one such command line interface.  It is what we call a shell.  It interfaces us with the computer and allows us to issue commands.  GNU bash is arguably the most popular open source shell in the world and is the default shell on nearly every Linux operating system and MacOS X.  Other Unix and Unix-like systems can have GNU bash installed if you find yourself missing bash when using one of those systems.

What is GNU?

It's the Free Software Foundation and the name of their overarching open source platform project.  It's an organization that you can donate to and they promote and support development of open source software like bash.  But that's not important right now.

Hold up, did you say MacOS X?

I did.  MacOS X is a weird platform.  It's like a Unix (and any diehard will drag me in to an argument about technicalities, but I don't care.  I have hacked on xnu, userspace code, and the C library on Darwin, so I have my own thoughts and opinions about OS X), but it's clearly a Mac.  Underneath all the icons and iTunes and stuff is a core Unix platform that includes a handful of basic command line tools.  A command line environment needs a shell and Apple ships GNU bash with MacOS X to fill that need.

NOTE:  The first versions of MacOS X shipped tcsh as the default shell, then they moved to zsh, then they moved to bash as the default.

I just use Windows and have my development work in the cloud.

You're probably still vulnerable!  If you use Amazon EC2, for instance, your host is likely running a Linux of some sort and if so you have bash on it which is then vulnerable.  The cloud doesn't make this problem go away, it just moves it all to a single point of failure for a large portion of the Internet.

What does this vulnerability allow?

Arbitrary code execution through the use of environment variables passed to child processes.

Wat.

Remember I said bash and shells in general are how we tell the computer what commands to run?  OK, so this vulnerability uses that very basic functionality of the shell to execute other software that would not normally be allowed to run.  That other code could be written to read passwords from your system, wipe your hard disk, or  replace all your MP3s with hamster dance videos.

Because the shell is such a core tool, nearly every other tool relies on it to do some work.  For example, web servers.  And email programs.  And so on.

Are fixes available?

Yes, patches are out and your Linux distribution has most likely already posted updates.

Where can I find more information?

Everywhere, but specifically:
What about SELinux?

SELinux is default on Fedora Linux and Red Hat Enterprise Linux.  It's a very complicated and confusing security layer that many people still don't bother learning.  Most disable it at the first sign of frustration.  But, if you have it set to enforcing mode, you gain a little more protection from this vulnerability.  See Dan Walsh's post about it:  Got SELinux?

And now it's Friday in my time zone and I've updated all of the systems under my control that I care about.  I do want to point out that the vulnerability does not exist in AT&T ksh93, pdksh, The Almquist Shell, or zsh.  Linux systems tend to have bash installed as /bin/sh and /bin/bash.  I personally like having a simple /bin/sh (like The Almquist Shell) and leaving bash either off the system or as /bin/bash.  Maybe that's worth considering now.

No comments: