MCNC Security Advisory 2014.003

Bash Shell Vulnerability Can Lead to Unauthorized Remote Command Execution

General Information

Executive Summary

The Bash shell is a popular command line interpreter used for executing system commands in a Unix or Linux (or similar) environment. It is widely deployed and used on many servers and workstations, and is the default shell for Mac OS X systems and most popular Linux distributions.

In late September 2014, a serious vulnerability was disclosed in the way that the Bash shell processes executable commands contained within environment variables. The flaw allows an attacker to remotely execute arbitrary commands on a vulnerable system.

Exploit code exists for this vulnerability and it seems probable that attackers will seek to develop automated systems for finding and exploiting systems that are vulnerable to this flaw. Network and system administrators should locate and update vulnerable systems as soon as is possible.

Additional information related to new exploits and updates continues to be released related to this issue. We will update this advisory as new information becomes available.

Advisory Details

Details of the Issue

Versions of the GNU Bash shell prior to (and including v4.3) contain a flaw that allows an attacker to remotely inject arbitrary commands and have them executed by the vulnerable system. This vulnerability exists due to a failure to properly check user-supplied input.

The Bash shell allows users to arbitrarily define environment variables that specify a function definition. Environment variables are read and loaded when a shell is invoked to process commands. If additional commands are supplied inside of the environment variable (after the function definition), the shell will also execute those additional commands.

This vulnerability is referred to as Shellshock and may be exploited in a number of different ways. Many different types of applications make use of the Bash shell behind the scenes and it may be possible to inject commands into them for execution. Some potential examples might include remotely enabled services such as web applications, telnet or SSH services, and even DHCP. Client-side software applications such as email or other messaging clients may also be vulnerable if they invoke the Bash shell to perform tasks on the system.

The issue is compounded due to the number of systems deployed that contain the vulnerable Bash software. Many of these systems can be readily identified (such as Linux servers). Others might not be obvious. Many “appliance” devices run some Unix or Linux variant and may be vulnerable. Administrators should consider all types of systems that may be vulnerable, not just the obvious systems.

The combination of trivial exploitability, arbitrary command execution, large number of potentially vulnerable systems, and the potential difficultly in identifying vulnerable hosts all add up to make this a particularly dangerous situation. System and Network administrators should be vigilant in finding and remediating vulnerable systems in their environments.

Suggested Actions

The information below provides a list of some actions that you should consider in order to protect your systems and networks. This list is not comprehensive and there may be other actions that you choose to take. This is just a sample of some common techniques that can be used to address this vulnerability.

Find Vulnerable Systems It is important to identify vulnerable systems that need to be fixed. Start by checking obvious targets such as Linux and Unix servers and workstations. Mac OS X systems running OS X 10.9.5 or earlier ship with a vulnerable version of Bash shell software installed by default.

But do not stop with these obvious targets. Also consider other systems that might have Bash shell software installed such as routers, switches, other network devices, network security software, video equipment, NAS devices, etc. Work with system vendors to determine which systems might be vulnerable. Pay special attention to any “appliance” devices as many of these run on top of Unix or Linux like operating systems that might be vulnerable. Think about any devices in your environment that might have a command line.

If you have a vulnerability scanner (Nessus, NeXpose, Qualys, McAfee Vulnerability Manager, etc.) use it to scan your networks to identify vulnerable systems.

Update Vulnerable Bash Software Vendors are releasing security updates to address the underlying vulnerability. Please be on the lookout for updates related to this issue from vendors for systems deployed in your environment.

Also note that security updates may come in a number of forms. Web application software may be vulnerable by allowing certain commands to be passed off to the Bash shell for processing. In this case, a vulnerable system might be remediated by updating the vulnerable web application in addition to updating the underlying Bash shell software. Because of the many unknown ways in which the vulnerability might be exploited, it is important to address the root cause by patching the Bash shell. But be mindful that applications may release patches as well.

Identify and Block Attack Traffic It may be possible to use IDS/IPS systems to identify and block attack traffic attempting to exploit this vulnerability. Please check for the availability of signatures for your IDS/IPS system.

Check Cloud Applications After you have confirmed that your own systems are protected, don’t forget to pay attention to external systems (cloud applications) used to conduct business. Consider both enterprise applications and personal web sites and make sure that they are patched as well.

Additional Information

  1. http://www.kb.cert.org/vuls/id/252743
  2. https://access.redhat.com/articles/1200223
  3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
  4. http://www.net-security.org/secworld.php?id=17413
  5. http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
  6. http://nakedsecurity.sophos.com/2014/09/25/bash-shellshock-vulnerability-what-you-need-to-know/

Revisions

  • v1.0 (September 25, 2014): Advisory published.
Tags