Shellshock - Bash Remote Code Execution Vulnerability

The US-CERT has issued Shellshock as a critical vulnerability affecting Linux/UNIX operating systems and Apple’s MAC OS X. According to the US-CERT, if exploited, this vulnerability gives attackers the ability to remotely execute shell commands by attaching malicious code in environment variables used by the operating system.

Checkpoint:

https://www.checkpoint.com/blog/protecting-shellshock/

https://www.checkpoint.com/press/2014/media-alert-check-point-protects-customers-shellshock.html

Check Point issued an IPS protection this morning to detect and block attempts to exploit the vulnerability. We recommend that all of our customers make the             update immediately in order to secure their networks,” said Dorit Dor, vice president of product at Check Point Software Technologies. “Shellshock leaves many systems vulnerable to attack, with a global impact that reaches far beyond any other network vulnerability.”

Palo Alto:

https://researchcenter.paloaltonetworks.com/2014/09/addressing-bash-vulnerability-shellshock-palo-alto-networks-mitigation-cve-2014-6271/

• Palo Alto Networks Threat Prevention customers should immediately update to Threat Content Version 457 to deploy vulnerability signature 36729, which detects exploitation of CVE-2014-6271 through HTTP requests.

RedHat / Linux:

https://seclists.org/oss-sec/2014/q3/650

Vulnerability Details

CVE-2014-6271 exists in all versions of Bash and is related to how environment variables are processed when the shell starts up. Environment variables are used by shell software to store pieces of information like the location of the user’s home directory. In addition to storing variables, Bash allows for storing shell functions in variables that users can call later. It’s in parsing these functions that the new Bash vulnerability exists, as the shell mistakenly executes code that is added after a function definition. Here’s an example:

$ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

vulnerable

this is a test

Bash should stop processing the environment variable “x” after the closing semicolon for the function, but instead continues to process “echo vulnerable”. At first glance, this might not seem too dangerous as executing commands is Bash’s primary function, but it’s important to understand that many other programs use Bash to process commands.

• Apache Servers running mod_cgi and mod_cgid may spawn Bash shells and pass malicious HTTP Headers and request variables that exploit the vulnerability.
• OpenSSH parses passed environment variables with Bash in some cases, making it vulnerable to privilege escalation through this vulnerability.

While these two scenarios are currently the most-likely vectors for exploiting this vulnerability, it’s likely that other services use Bash in a network-exploitable way. The only way to fully prevent exploitation is to upgrade Bash on the system to a non-vulnerable version.

Impact

The good news is that this vulnerability was disclosed responsibly and patches are available for most platforms on the day of the public disclosure. The bad news is that this vulnerability is going to have a very long tail. Bash is the default shell for the most-popular Linux variants and every version of the software stretching back over two decades is vulnerable. Well-maintained systems will be patched today, but that dusty old system in the networking closet might never get the update. Additionally, network devices, embedded systems and Internet-connected devices (like IP Cameras) often run Linux and could be vulnerable.

Fortunately, not every system is remotely exploitable simply because it’s running Bash, it also needs to be running an application which makes Bash accessible over the network. As described above, the most-common exploit scenario seems like it will be web servers running Apache and using CGI scripts. Web servers are great resources for attackers. They can be used to:

• Launch DDoS attacks (See Operation Ababil)
• Infect visitors with malware
• Gain a foothold in a network and spread to additional systems
• Steal sensitive data accessible to the web server