In the past few days the Linux (and UNIX and MacOS) world has been rocked by an exploit that is being called “potentially worse than Heartbleed”. Administrators and Engineers from around the planet have most likely spent the last 24-36 hours patching and testing their Linux servers, workstations and anything else that runs BASH in order to get ahead of the impending script-kiddie-hack-a-thon which will undoubtedly befall the UNIX community.
For the uninitiated, BASH stands for Bourne Again Shell and is a replacement for the Bourne Shell which is a command environment for UNIX operating systems. It has become the most popular shell for UNIX flavors and is included as the default command environment for all major Linux distributions.
It has also carried a potentially devastating flaw.
For 22 years.
In simple terms, this flaw allows arbitrary execution of commands against the shell by non-authorized persons. You can Google CVE-2014-6271 if you want more details or check out the National Vulnerability Database entry here: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
Over the years I’ve collected a stellar network of fellow Linux/UNIX administrators, engineers and architects. Yesterday many of us sat in a chat room while we repeatedly patched machine after machine for Shellshock. (The patch is simple, upgrade or patch bash). I made my life easier awhile back by utilizing RHEL Satellite so it was a matter of pushing the update to all our servers with a few keystrokes and then writing a quick script to test and report back). Our few CentOS machines were patched manually and our fewer SuSE machines are another story. (Novell. Need I say more?) So the majority of us had time to wax poetic about what we thought would be the outcome of “Shellshock”. After all, in only a few short hours it has already proven to be worm-able which, again, for the uninitiated, is the same as Ebola gaining the ability to transmit itself in an airborne capacity.
One conclusion we came to was the lack of preparedness we’ve seen in *Nix admins and engineers. In-The-Old-Days (I know, I know), Linux wasn’t trusted, well known or easily obtainable. Those of us willing to delve through USENET, withstand corrupt downloads over dial-up and manually configure a kernel were rewarded with a mostly (ok, often mostly not) working UNIX like OS. We learned the hard way. Don’t get me wrong, I know plenty of fresh admins who have just as much dedication to “doing it right” as the older generation, the line is not firmly planted in any generation.
Linux is “cool”. There is a certain amount of “mystery” attached to what we do. If Microsoft is the band, we are the sound technicians and lighting engineers. Behind the scenes we make places like Amazon, Google, eBay, Facebook and even Wall Street available to millions of people all over the world. We need each-other. Without Microsoft we have nothing to do. Without UNIX, you have no Netflix and no Playstation. When one stops performing, the other suffers.
The potential for Shellshock to disrupt what we take for granted is more than possible. The ability to stop it in it’s tracks is also, more than possible.
The key is going to be those at the helm of these environments.
Good admins jumped on this issue as soon as it became public. In smaller circles, this particular vulnerability has been known since earlier this month as a “potential”. My iPhone screamed at me with a critical alert notice from BugTraq early in the morning and by 10am all of my externally facing machines were patched. I wasn’t taking any chances. I collected the RPM’s and DIFF files for fellow admins at other companies and put them on Dropbox in case they had trouble getting them through normal REPOS because it didn’t matter who you worked for or if we were competing companies, this was a potentially catastrophic event for the community. I wasn’t taking any chances. As far as I was concerned, the enemy was at the gates and trying to get in.
Is the level of paranoia penned above plausible? Probably not. Yes CNN was abuzz with the news, so it was public but was anyone trying to use it against my servers? Unlikely. But “probably not” or “unlikely” is no excuse for not patching.
The real exploit will be “bad” or to use a broader term, “naive” admins. These admins will think “No one is going to find my servers in the mess of IP’s out there! What are the chances? I’ll do it later, I’m going out for Thai noodles! “. This mentality is the same thought process that got Target hacked and the reason I get a new ATM card in the mail to replace the previous one every three months!
Being a Linux Admin/Engineer/Architect is “cool”. It is also work. It is the responsibility of all Eng/Ad/Arch’s no matter your OS choice to stay current with issues of security. There is an old saying; “If you aren’t helping, you are hurting” and in the case of security, this has never been more accurate.