Jexet Technologies of Chicago warns users of Linux vulnerabilities as outlined by the Department of Homeland Security and Redhat.
Chicago, USA - November 27, 2014 /PressCable/ —
Jexet Technologies of Chicago seeks to notify users of a potential risk to Linux operating systems. Linux is a popular alternative operation system to Windows.
Affected Systems·
GNU Bash through 4.3, Linux and Mac O/S for which Bash constitutes as the base Operating System, Any BSD or UNIX system where GNU Bash is installed on an ad-hoc basis, Any O/S equivalent to UNIX on which the bin or interface has been implemented as GNU Bash
Summary
GNU Borne Shell (Bash) is the common commanding-line shell used in many Linux/UNIX Operating Systems and Mac OS X systems. The application poses potential vulnerabilities to these platforms. This flaw enables an attacker to execute shell commands remotely by means of integrating malicious code into the OS.
The United States Department of Homeland Security has issued guidelines on protecting systems against the vulnerabilities presented by the GNU Bash.
Nature of Threat
Versions 1.14 through 4.3 of GNU Bash are vulnerable to a flaw that makes processing of commands that are placed after function definitions in the added environment variables. This facilitates the ability of remote attackers to upload executing arbitrary code via a crafted environment that leads to network-based exploitation. The following are examples of the potential vulnerabilities.
Apache HTTP Server that uses mod_cgi or mod_cgid scripts written either in bash or spawn GNU Bash sub-shells, or any system where the bin or sh interface is implemented by the use of GNUBash.
Override or Bypass Force Command features in Open SSH sshd and limited protection for some Git and Subversion deployments used for restricting shells permits arbitrary command execution capabilities.
This data path which has vulnerability on systems where the bin/sh interface has been implemented making use of GNU Bash.RiskBy industry standards, this vulnerability is categorized as high impact with CVSS impact Subscore 10 and low on complexity. This implies that it takes little time to execute.
Exploiting this flaw, attackers can provide specially crafted environmental variables that contain arbitrary commands for exploiting vulnerable systems. It serves as a potential threat because of the prevalent use of the bash shell and its ability to executed in various ways.
Prevention
There is no fool proof solution yet. Jexet Technologies advises users to install the existing patches and remain vigilant for updated patches that address CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278.
Red Hat has provided a support article with updated information. A support article has been provided by Red Hat.
Contact Jexet for updated information. Those affected can find a list of vendors in CERT Vulnerability note VU#252743.
Jexet recommends system administrators review the vendor patches and the NIST Vulnerability Summaries for CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278 for mitigating damage caused by the risk.
Jexet can be reached through their website at http://www.jexet.com
For more information about us, please visit http://www.jexet.com/
Contact Info:
Name: Daniel Wang
Organization: Jexet Technologies
Address: 401 S LaSalle St suite1203 Chicago, IL 60605
Phone: (312) 651-6304
Release ID: 69024
