Remote exploit vulnerability in Bash [CVE-2014-6271 and CVE-2014-7169] – Nicknamed: Shellshock
A new vulnerability was discovered earlier this week by security researcher Stephane Chazelas and is breaking over various news and security related sites. This has been assigned CVE identifier CVE-2014-6271 and affects all *nix (Unix and Linux) distributions using GNU Bash through to version 4.3.
As bash is installed by default on the vast majority of distributions, and many system components rely on it, the likelihood is that you and your organisation are vulnerable.
The vulnerability is caused by trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
It is not just the known/managed server estate that could be affected; it’s critical that any and all systems running *nix distributions are considered. For example, think also about anything within your infrastructure, such as appliances provided by third parties or systems running ‘in-built’ operating systems (which you have no access to patch), like routers and firewalls.
Again, this highlights how important it is that Open Source (often free) software—which many organisations rely so heavily on—receives funding and attention from the security industry in terms of vulnerability research. SureCloud’s Luke Potter wrote a recent article for Computer Weekly on this subject matter.
In summary there are two elements to the Shellshock bug:-
- The main underlying vulnerability within Bash
- Various attack vectors that pass data into Bash and essentially make the issue “remotely exploitable”. CGI applications are a prime example of the second element.
Could my organisation be vulnerable?
If you are running any *nix distribution with services or anything that calls bash on the system shell, for example CGI scripts or DHCP scripts, you will be vulnerable. However, if (for example) the shell used is ‘dash’ (on Debian systems the shell defaults to /bin/sh which is a symlink to /bin/dash) then you wouldn’t vulnerable, unless the service in question has specifically been configured to use /bin/bash (check /etc/passwd for this).
How to detect?
We would recommend that clients connect to all of their systems and run the following command to identify if they are vulnerable (note: if not running bash as your default shell, prefix with /bin/bash –c “command”):
To detect and identify CVE 2014-6271 run the following:-
Command: x='() { :; } ; echo surecloudtest‘ bash -c ‘echo test’
If vulnerable the shell should output the following:-
surecloudtest
test
Whereas on a patched system, the output should be as follows:-
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
test
To detect and identify CVE-2014-7169 run the following (bypasses any applied fix for CVE 2014-6271):-
rm -f echo && env -i X='() { (a)=>\’ bash -c ‘echo id’; cat echo
If vulnerable the shell should output the following:-
bash: X: line 1: syntax error near unexpected token `=’
bash: X: line 1: `’
bash: error importing function definition for `X’
uid=0(root) gid=0(root) groups=0(root)
Whereas on a patched system:-
bash: X: line 1: syntax error near unexpected token `=’
bash: X: line 1: `’
bash: error importing function definition for `X’
id
Check ‘/etc/passwd’ for any users running ‘bash’ as their shell, since they will be vulnerable. Pay specific attention to any users/accounts running services that are exposed to the public internet (for example the Apache web server).
SureCloud has two types of detection already in place for the presence of this vulnerability for all customers whom are licenced for our on-demand scanning functionality.
The first [ID: 77829] attempts to enumerate all web services, then identify vulnerable systems via exploitation of any scripts. A template has been created for this within SureCloud entitled ‘Shellshock Detection’ and can be selected when created a new scan. Please note: This is automatically included in all other scan policies. The template ‘Shellshock Detection’ is for client’s wanting to specifically look only for this vulnerability
The second [ID: 77823] requires SSH credentials to systems (to be setup via a client specific tool setting) which will then login to the target systems (providing SSH is accessible) and enumerate vulnerable versions across those systems. Clients can use the same ‘Shellshock Detection’ template, but will also need to create a tool setting containing the required credentials with the job updated to reflect this specific tool setting. For assistance with this process please contact the SureCloud team via the support area of the SureCloud Platform.
Are SureCloud vulnerable?
The SureCloud Platform and any client facing systems do no run any kind of CGI script and in addition, bash is not used as the ‘default’ shell. Even so, as part of a defence in depth approach, all of our own systems have already been patched against this vulnerability.
How to resolve/patch?
Various distributions have already released patches for bash, as follows:-
Please note: CVE 2014-6271 is considered to be an incomplete fix and bypasses that still allow exploitation have been found. Please see CVE-2014-7169 for more details on this. Therefore, the patches for CVE 2014-6271 have now been updated to also resolve CVE-2014-7169 as follows:-
Other mitigation includes applying mod_security rules to web servers.
In attention avoid functions such as system(), popen(), exec() in PHP (or any similar functionality in the respective web application language). The generally recommend method is to use library calls instead of invoking the shell.
Get in touch
Should you have any questions regarding this or any security related matter please do not hesitate to get in touch by opening a support ticket or emailing SureCloud Support
Further References
https://www.theregister.co.uk/2014/09/25/shell_shocked_not_yet/
https://www.theregister.co.uk/2014/09/24/bash_shell_vuln
https://www.cnet.com/news/bigger-than-heartbleed-bash-bug-could-leave-it-…
https://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
Please Note: This article will be updated with new information, links and recommendations as this vulnerability develops.
Whilst every effort is made to ensure the accuracy and robustness of any information presented, it is not possible for SureCloud to test every possible scenario an organization may face, and SureCloud cannot be held liable for any loss or damage which may arise from taking action on any of the contents provided. SureCloud strongly advises that all recommendations, solutions and detection methods detailed, are thoroughly reviewed and tested in non-production environments before being considered suitable for production release, in-line with any existing internal change control procedures.
