‘Bash’ ShellShock vulnerability

[h1]Background[/h1]

shellshock-bug-inline-300x200Wednesday 24th September was yet another big news day in the world of IT, CVE-2014-6271 (also known as shellshock) was made public with a corresponding patch for Bash (a common Linux shell). The problem arises from this new vulnerability because of certain use cases (so far identified). The main area of concern is the use of Internet-facing infrastructure is where CGI (Common Gateway Interface) scripts are being used. This is because user supplied data from the Internet via specially crafted requests can result in unauthorised code execution.

Other instances of malicious code execution are starting to come to like with working tests using rogue DHCP servers when an OS calls a bash based script like dhclient. Effectively anything where a variable is parsed to bash could become a target for an attacker.

Unlike Heartbleed, which affected OpenSSL, vulnerabilities in the Bash shell present a much bigger problem. Bash is much more widely spread and so it may be very hard for an organisation to identify where it’s in use. Especially when considering the number of embedded devices with web interfaces and so on.

[h2]Affected Systems[/h2]

This is the big issue, any system or product which uses CGI and the vulnerable version of bash is potentially affected.

The vulnerability affects Bash versions (up to and including version 4.3) and is a form of code injection in Bash’s handling of environment variables. Apache web servers, in particular are affected, putting this in perspective, almost half of the Internet is at risk of compromise (before patching).

[h2]What to do?[/h2]

Vendor patches for nearly all major OSes and web servers will likely be published within the next day at the very latest. If you work for an organisation with significant change control processes in place, you should start thinking about raising an emergency change request. If, however you can apply patches reasonably easily then keep an eye on your vendor’s websites to get the patch as soon as it’s available.

If you can, another means of protection, however slightly more extreme solution is to take the vulnerable systems offline if they are not business critical, or at least hide them from the internet through the use of firewall rules.

[h2]How do you know if you’re vulnerable to Shellshock?[/h2]

It’s fairly easy to find out whether you are vulnerable to Shellshock, there is a simple test that The Register suggests performing. All you need to do is run the following command in your default shell (most likely Bash):

env X=”() { :;} ; echo busted” /bin/sh -c “echo stuff”

If you get the word “busted” echo’d back out then you’ve successfully exploited the bug. If not, then either your Bash is fixed or your shell is using another interpreter.

[h2]Patching[/h2]

Linux Operating Systems have deployed patches:

Previous Post
Heartbleed Bug
Next Post
BadUSB Malware code released – Turning USB drives into a hackers best friend

Related Posts

No results found

Leave a Reply

Your email address will not be published.

Fill out this field
Fill out this field
Please enter a valid email address.

5 × five =

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Menu