Shellshock Bash Bug and TrueVault
- By Jameson Lee
- Published on September 25, 2014
Yesterday, a critical exploit was announced that affects Linux servers through bash, aka the Bourne Again SHell. The vulnerability involves how Bash processes environmental variables. With specifically crafted variables, intruders could invoke shell commands, making the system vulnerable to even greater assault.
TrueVault was notified of the bug via the publication of the issue and patch information on Seclists.org, the leading security mailing list. Upon notification of the threat TrueVault immediately took the following actions:
- Installed the recommended patch to eliminate the exploit on all TrueVault Linux machines and servers.
- Tested the patch to ensure the exploit was ineffective with the patch.
- Verified that TrueVault systems had not been compromised via the exploit.
After a thorough system review, the team concluded that at no time was any data or TrueVault servers compromised. There was no impact to TrueVault customer data at any point due to this vulnerability.
This is an ongoing issue and industry experts are still busy addressing it. We invite you to check this blog post for future updates. We strongly encourage our customers to work expediently to evaluate the impact to their own services.
The RedHat blog has a detailed and accessible explanation of the exact details of the exploit and how the patch works to resolve the exploit.
…the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents. As a result, this vulnerability is exposed in many contexts,…
Like “real” programming languages, Bash has functions, though in a somewhat limited implementation, and it is possible to put these bash functions into environment variables. This flaw is triggered when extra code is added to the end of these function definitions (inside the environment variable).
The patch used to fix this flaw, ensures that no code is allowed after the end of a bash function.
You can learn more about it here: http://seclists.org/oss-sec/2014/q3/650 and get the patch updates here: http://lists.centos.org/pipermail/centos/2014-September/146099.html
If you have questions please don’t hesitate to contact us at firstname.lastname@example.org.