Skip to main content

GNU Bash "Shellshock" Vulnerability

Last Update Date: 30 Sep 2014 Release Date: 25 Sep 2014 6672 Views

RISK: Extremely High Risk

TYPE: Operating Systems - Linux

TYPE: Linux

A vulnerability has been identified in bash (GNU Bourne-Again Shell), related to how environment variables are processed. The vulnerability is now known as "Shellshock".

 

In many common configurations, this vulnerability is exploitable over the network, especially if bash has been configured as the system shell:

  1. Apache HTTP Server using mod_cgi or mod_cgid scripts either written in Bash, or spawn subshells.
  2. Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities.
  3. Allow arbitrary commands to run on a DHCP client machine, various Daemons and SUID/privileged programs.
  4. Exploit servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

Note: The vulnerability is currently being exploited in the wild


Impact

  • Remote Code Execution

System / Technologies affected

  • Any UNIX, Linux and Mac OS X with Bash shell version 4.3.

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

  • Please note that solutions for CVE-2014-6271 do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-7169. Please refer to individual OS vendors for the latest software update.
  • GNU, the vendor of Bash, has issued a patch. You can update bash shell by compiling the latest source code released by GNU:
    http://www.gnu.org/software/bash/

 

[UPDATE 2014-09-29] There are patches available for many of the major Linux distributions:

[UPDATE 2014-09-30] Other products:

 

Detection for vulnerability CVE-2014-6271

To detect if a CGI Web site is vulnerable (for HTTP site only), use this checking site:

 

To detect if a Linux, Unix, BSD or Max OS X host is vulnerable, enter the following command at the shell:

  • env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"

If the system is vulnerable, the output will look like:

vulnerable

this is a test

 

An unaffected (or patched) system will output:

bash: warning: x: ignoring function definition attempt

bash: error importing function definition for `x'

this is a test

 

There is information about detecting the vulnerability of DHCP service. This is for people with technical knowhow:

 


Vulnerability Identifier


Source


Related Link