Galleon Systems Answers Your ‘Shellshock’ Bug Questions
Posted by Stuart Thomason on 01 October 2014 11:08
A recent announcement, about the discovery of a new bug affecting the widely used Bash command interpreter, has sparked widespread concern regarding the security of Unix and Linux operated systems. But, what is the ‘Shellshock’ bug? Is my Linux operated NTP time server affected? Do I need to do anything? Read on to get your questions answered.
What is Bash?
If you’re unfamiliar with Bash it’s simply a command processor, usually run in a text window (see fig. 1), enabling users to enter commands that prompt actions. Bash is also capable of reading commands from a file, referred to as a script.
Fig.1 - An example of the Bash command processor in action.
What is the Shellshock Bug?
It’s a family of security bugs found in the widely used Unix Bash Shell, discovered by Stephane Chazelas on 12th September, 2014. The discovery of the bug was disclosed to the public on 24th September, 2014.
How does the Shellshock Bug affect Bash?
Many systems, such as web servers, use Bash to process various commands. The Shellshock bug enables a hacker to exploit vulnerable versions of Bash to execute random commands. Effectively, hackers are able to gain unauthorised access to computer systems using Shellshock to manipulate Bash into unintentionally executing ‘bad’ commands.
Is the Shellshock Bug Serious?
Yes! NIST rates the flaw 10 out of 10 for severity. It can leave countless websites, servers, PCs, OS X Macs, numerous home routers and other systems vulnerable to manipulation by hackers. The bug has also been compared to the recent ‘Heartbleed’ outbreak because of the potential it has to compromise millions of systems.
What Versions of Bash are affected?
The extent of the problem expands up to and including Bash version 4.3.
Is my Galleon Systems, Linux Operated, NTP Time Server Affected?
No! Your NTS-6001 GPS NTP server unit is not vulnerable to the Shellshock bug. This particular model operates using a custom built version of Linux and only runs a basic shell called ‘sh’. Galleon’s custom built version of Linux does not incorporate BASH, meaning that it’s not prone to the hijacking methods specified by commentators across various publications.
Fig.2 - Your NTS-6001 GPS NTP Server is immune th the 'Shellshock' bug.
How do you know that ‘sh’ is not affected?
Although Bash is built on the ‘sh’ framework, which is common across all shell applications, the areas of Bash that are compromised exist across the advanced features of the Bash software. These advanced features are not part of the basic ‘sh’ shell, meaning that Galleon’s Linux GPS NTP servers are not susceptible to the Shellshock bug and remain secure.
So, do I need to do anything to my time server?
No! From a security perspective there is no immediate threat to your Galleon Systems NTP server device, either direct or perceived. Therefore, no immediate action from you is required.
How do I Check if other Systems are Vulnerable?
An article published by theregister.co.uk suggests running the following lines in your default shell, which for many systems will be Bash. If you encounter the word ‘busted’ within the code then you’re at risk.
Concerned about your Galleon device?
If you need any clarification regarding the ‘Shellshock’ bug and your Galleon Systems device either submit a ticket or call us on 0121 608 7230.
Galleon Systems Support Team