GNU Bash "Shellshock" Vulnerability
RISK: Extremely High Risk
TYPE: Operating Systems - Linux
A vulnerability has been identified in bash (GNU Bourne-Again Shell), related to how environment variables are processed. The vulnerability is now known as "Shellshock".
In many common configurations, this vulnerability is exploitable over the network, especially if bash has been configured as the system shell:
- Apache HTTP Server using mod_cgi or mod_cgid scripts either written in Bash, or spawn subshells.
- Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities.
- Allow arbitrary commands to run on a DHCP client machine, various Daemons and SUID/privileged programs.
- Exploit servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.
Note: The vulnerability is currently being exploited in the wild
Impact
- Remote Code Execution
System / Technologies affected
- Any UNIX, Linux and Mac OS X with Bash shell version 4.3.
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
- Please note that solutions for CVE-2014-6271 do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-7169. Please refer to individual OS vendors for the latest software update.
- GNU, the vendor of Bash, has issued a patch. You can update bash shell by compiling the latest source code released by GNU:
http://www.gnu.org/software/bash/
[UPDATE 2014-09-29] There are patches available for many of the major Linux distributions:
- Red Hat Enterprise Linux (versions 4 through 7)
- Fedora
- CentOS (versions 5 through 7)
- Ubuntu (10.04 LTS, 12.04 LTS, and 14.04 LTS)
- Debian
[UPDATE 2014-09-30] Other products:
- Apple OS X (OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5)
- IBM HTTP Server and IBM WebSphere Application Server (6.0.2, 6.1, 7.0, 8.0, 8.5, 8.5.5)
Detection for vulnerability CVE-2014-6271
To detect if a CGI Web site is vulnerable (for HTTP site only), use this checking site:
To detect if a Linux, Unix, BSD or Max OS X host is vulnerable, enter the following command at the shell:
- env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
If the system is vulnerable, the output will look like:
vulnerable
this is a test
An unaffected (or patched) system will output:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
There is information about detecting the vulnerability of DHCP service. This is for people with technical knowhow:
Vulnerability Identifier
Source
Related Link
Share with