Bash Security Vulnerability threats are more likely than "heartbleed", with faster update!

Source: Internet
Author: User

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/4A/2A/wKioL1QjgXjCgIliAAD8C0Av2tY574.jpg "Title =" 11.jpg" alt = "wkiol1qjgxjcgiliaad8c0av2ty574.jpg"/>

According to foreign media reports, network security experts warned on Wednesday that a frequently-used section "bash" in open-source software Linux has recently discovered a security vulnerability, its threat to computer users may exceed the "heartbleed" vulnerability in April this year.

Bash is a software used to control Linux computer command prompts. Network security experts said that hackers can use a security vulnerability in Bash to fully control the target computer system.

Dan Guido, Chief Executive Officer of trail of BITs, a cyber security company, said: "compared with heartbleed, the latter only allows hackers to snoop on computers, but does not allow hackers to gain control of computers."

He said: "The bash vulnerability method is much simpler. You can cut and paste a line of software code to achieve good results ."

Gido also said that he is considering disconnecting non-essential servers of his company from the network to protect them from being attacked by the bash vulnerability until he can fix the vulnerability.

Todd Beardsley, Engineering Manager of Network Security Company rapid7, warned that the severity of the bash vulnerability was rated as 10, which means it has the greatest influence, however, the exploitation difficulty is rated as "low", which means that hackers can easily use it to launch network attacks.

"Using this vulnerability, attackers may take over the entire operating system of a computer, access confidential information, and modify the system. Any computer system that uses Bash must be immediately patched ."

"Heartbleed" is a security vulnerability in OpenSSL, an open-source encryption software. It was discovered in April this year. Because 2/3 of the world's websites use OpenSSL, the "heartbleed" vulnerability puts tens of millions of people at risk. This also forces dozens of tech companies to release security patches to block security vulnerabilities in hundreds of products that use OpenSSL.


Affected RedHat versions:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/4A/2A/wKioL1QjgRXzq4IvAAJ9sbZoB2o886.jpg "Title =" qq 409251020.8.png "alt =" wkiol1qjgrxzq4ivaaj9sbzob2o886.jpg "/>


For users who use the RedHat and centos systems, it is easy to fix this vulnerability:

One Yum update bash-y will be able to upgrade Bash to the latest bash. x86_64 4. 1.2-15. el6_5.1!

# yum update bash-4.1.2-15.el6_5.1

You can also run this command on your machine to test whether the bash vulnerability exists.

env t=‘() { :;}; echo You are vulnerable.‘ bash -c "true"

The following is a comparison of the results of executing test commands on machines that have been upgraded to the bash version and those that have not been upgraded to the bash version!


Machines without bash version upgrade:

[[email protected] ~]# env t=‘() { :;}; echo You are vulnerable.‘ bash -c "true"You are vulnerable.

Upgrade Bash to bash. x86_64. 1.2-15. el6_5.1 and test:

[[email protected] ~]# env t=‘() { :;}; echo You are vulnerable.‘ bash -c "true"bash: warning: t: ignoring function definition attemptbash: error importing function definition for `t‘[[email protected] ~]# /sbin/ldconfig[[email protected] ~]# rpm -qa bashbash-4.1.2-15.el6_5.1.x86_64

You can refer to the link officially provided by RedHat:

Https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

Https://access.redhat.com/solutions/1207723

Http://lists.centos.org/pipermail/centos/2014-September/146099.html


PS: although various manufacturers have upgraded the bash version of the system, Google's security researcher Tavis Ormandy said on Twitter, patches released by Linux system providers seem incomplete, which raises concerns of several security experts.


This article is from the "bug blog" blog, please be sure to keep this source http://xlogin.blog.51cto.com/3473583/1557973

Bash Security Vulnerability threats are more likely than "heartbleed", with faster update!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.