[tahanteada]

ZDNetist:

Unix/Linux Bash: Critical security hole uncovered
Summary: The popular Linux and Unix shell has a serious security problem that means real trouble for many web servers. Fortunately, a patch -- as source code -- is available.

The flaw involves how Bash evaluates environment variables. With specifically crafted variables, a hacker could use this hole to execute shell commands. This, in turn, could render a server vulnerable to ever greater assaults.

By itself, this is one of those security holes where an attacker would already need to have a high level of system access to cause damage. Unfortunately, as Red Hat's security team put it, "Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue."

The root of the problem is that Bash is frequently used as the system shell. Thus, if an application calls a Bash shell command via web HTTP or a Common-Gateway Interface (CGI) in a way that allows a user to insert data, the web server could be hacked. As Andy Ellis, the Chief Security Officer of Akamai Technologies, wrote: "This vulnerability may affect many applications that evaluate user input, and call other applications via a shell."

That could be a lot of web applications — including many of yours.

The most dangerous circumstance is if your applications call scripts with super-user — aka root — permissions. If that's the case, your attacker could get away with murder on your server.

So what can you do? First you should sanitize the web applications' inputs. If you've already done this against such common attacks as cross-site scripting (XSS) or SQL injection, you'll already have some protection.

Next, I'd disable any CGI scripts that call on the shell. (I'd also like to know why you're still using a 21-year old way of allowing users to interact with your web services. You might want to use this opportunity to replace your CGI scripts once and for all.)

After that, I'd follow Akamai's recommendation and switch "away from using Bash to another shell." But keep in mind that the alternative shell will not use exactly the same syntax and it may not have all the same features. This means if you try this fix, some of your web applications are likely to start acting up.

Of course, the real fix will be to replace the broken Bash with a new, secure one. As of the morning of September 24, Bash's developers have patched all current versions of Bash, from 3.0 to 4.3. At this time, only Debian and Red Hat appear to have packaged patches ready to go.

OpenSSH is also vulnerable via the use of AcceptEnv variables, TERM, and SSH_ORIGINAL_COMMAND. However, since to access those you already need to be in an authenticated session, you're relatively safe. That said, you'd still be safer if you blocked non-administrative users from using OpenSSH until the underlying Bash problem is patched.

It's extra work, but if I were a system administrator, I wouldn't wait for my Unix or Linux distributor to deliver a ready-made patch into my hands. I'd compile the patched Bash code myself and put it in place.

This is not a bug to fool around with. It has the potential to wreak havoc with your systems. Worse still, a smart attacker could just leave malware mines behind to steal data after the fact.

As Ellis said, "Do you have any evidence of system compromises? No. And unfortunately, this isn't 'No, we have evidence that there were no compromises;' rather, 'we don't have evidence that spans the lifetime of this vulnerability.' We doubt many people do — and this leaves system owners in the uncomfortable position of not knowing what, if any, compromises might have happened."

So patch this bug now or you'll regret it.

http://www.zdnet.com/unixlinux-bash-critical-security-hole-uncovered-7000034021/
-------------------------
Edit: Netist on näha, et üsna palju kirjutatakse sellest probleemist. Ja eks näis kas millalgi RIA ka sellest midagi kirjutab või mitte.

Näiteks üks lühem lugu:
Linux Bash Bug Poses Security Threat, Gets Compared to Heartbleed

Here we go again

Security researchers have discovered a major security bug in the Unix shell known as Bash (Bourne-again shell), one of the most commonly used utilities in Linux and one that could potentially affect a great number of Unix and Linux web servers. By exploiting the newly discovered vulnerability, an attacker can take complete control of the system and/or execute shell commands that could make a server vulnerable to even more threats.

The bug is such that an attacker would need a high level of system access to do any real damage, though according to Red Hat, remote attacks are possible through "certain services and applications." Patches are needed to fill in the security hole and eradicate the bug, but since it's been present in enterprise Linux software for so long, that's no easy task, The Verge reports. That said, Red Hat, Fedora, Ubuntu, and others have already released patches, and Apple is working on a fix for Mac OS X.

Some security experts, including Errata Security's Robert David Graham, have compared the Bash bug to Heartbleed. Graham went so far as to say it's "probably a bigger deal than Heartbleed" because of all the software out there that's vulnerable -- cataloging it all would be a nightmare, if not an impossible task.

http://www.maximumpc.com/linux_bash_bug_poses_security_threat_gets_compared_heartbleed_2014