Bitcoin at Risk: Major Vulnerability Discovered in GNU Bash

dangerThe National Vulnerability Database has issued a critical security advisory about a major vulnerability in GNU Bourne Again Shell (Bash). GNU Bash is the command-line shell used in most operating systems based on Linux and Unix - including MacOS.

A Red Hat security advisory said:

"This issue is especially dangerous as there are many possible ways Bash can be called by an application,"

The GNU Bash vulnerability was first discovered by Stephane Schazelas. Arstechnica writes:

... is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network–based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

Bitcoin at Major Risk

This is not a Bitcoin Core vulnerability. However, Bitcoin Core is stopped and started via the bash shell and can also be interacted with, via the bash shell.

The bash vulnerability is at a lower level - in a command line shell that is used by almost every Linux operating system and some of it's components. For example:

  • the Python language popen module calls a bash process by default
  • Apache's mod_cgi runs CGI scripts written in bash, or spawn bash subshells
  • OpenSSH is the standard method of remotely logging into a Linux host and, typically, spawns a bash shell for the logged in user

PHP scripts are not vulnerable to this bash exploit nor are shell scripts which do not export variables. However, this is little consolation and an immediate bash upgrade is required on any *nix system (see below).

Miners, exchanges and anyone else running Linux hosted Bitcoin nodes are looking at vulnerable systems - the bash vulnerability effectively opens access to the Bitcoin Core process and any Bitcoin wallets hosted on the system.

Most mining hardware built on firmware running Linux will have remote login available via OpenSSH. Check with the manufacturer for their security solution.

 

What To Do: Immediate Security Steps

Every Version of Bash Since 1994

This security vulnerability affects GNU Bash versions 1.14 (released in 1994) through to the most recent version 4.3, according to NVD. The pervasive use of bash on systems across the internet means that the vulnerability is as serious as the Heartbleed bug. If you run a Linux (or any *nix) system it is most definitely vulnerable - and has been since it's first boot.

Package Upgrade Now!

Your Linux distribution's package repository should contain a patched version of bash that fixes the vulnerability.

  1. Upgrade bash as soon as possible
  2. Store access and audit logs for forensic analysis (should it later become apparent someone accessing your system exploited the bash vulnerability)
  3. Search for rootkits via chkrootkit and rkhunter - a sensible initial step on any system right now

Ubuntu Linux currently has a fixed version of bash in package bash_4.3-7ubuntu1.1

Note that the version number is still 4.3, but the -7 suffix indicates that the package version has been bumped following application of a security patch.

[divider]CCN[/divider]

How Does The Exploit Work?

Like most programming languages the bash shell allows for the definition of functions. A bash environment variable can contain code and, therefore, functions. This vulnerability takes advantage of the fact that any string following a function declaration is executed when bash reads an environmental variable containing such a function declaration. For example:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

In a patched version of the bash shell the command injection attempt above has the following output:

patched GNU bash 4.3 output

Introshine gives some examples of how the exploit may be used in practice:

That's pretty serious. Most of the attack vector hits pretty specific server-type scenarios. Or running crafted bash scripts.

The exception is the DHCP attack vector. I'll explain: What this actually does is the following: There is a protocol called DHCP - it gives the devices in your network an IP address. Normally, this is the router/server in your LAN.

Some guy could be running a 2nd DHCP server in a public LAN that gives out non-valid addresses or even a non-valid one. Because DHCP is a broadcast, your client will talk to this rogue server when he is the fastest to reply. So you would not even notice, but can still use the internet fine because after DHCP is done, the DHCP server is no longer needed for internet/network to function.

He could include a variable (mostly used to deploy Proxy settings etc). with a rogue string included, that string can be executed because Bash is broken - hence he could:

- Copy the wallet.dat over
- If DHCP client runs as root (some distro's): Infect the machine with a keylogger/virus/rootkit
- etc.

GNU/Linux users and other OS'ses: Be safe, check your update repo if CVE-2014-6271 has been patched. Be wary of unknown network, especially open networks near Bitcoin events or hacker spaces.

Btw, Trezor, Co-sign wallets like Greenaddress and cold wallet unaffected.

For more details see the Red Hat security advisory pertaining to this issue.

This story will be updated as relevant facts come to light.

 

 

Images from Shutterstock.

This article is protected by copyright laws and is owned by CCN Markets.

About the author

Jonas Borchgrevink
Jonas Borchgrevink

Founder of CCN.com and Hacked.com. Passionate about how technology can empower people to create a more just and sustainable world.

Do NOT follow this link or you will be banned from the site!