Shellshock vulnerability in Bash enables extensive utilisation

The Bash command language interpreter is software used in Linux/Unix systems and intended for controlling operating systems. The software receives and runs text-based commands. Bash has been part of Linux/Unix systems for decades. Apple OS X, an operating system based on Unix, contains the command language interpreter as well. The NCSC-FI at FICORA recommends all maintainers and users of the devices containing the command language interpreter in question to update the software to the latest version

By utilising the vulnerability, it is possible to perform a complete hijack of a server or an operating system via a remote connection. Active utilisation of the vulnerability has already been observed around the world and in Finland.

Target group of the alert

  • Server maintainers
  • End-users

Target

  • Linux / Unix
  • OS X
  • Some of the network devices with an embedded Linux operating system
  • IBM z/OS mainframe computer systems
  • Windows systems that run Cygwin interface

Possible effects

  • The vulnerability enables that the attacker can execute arbitrary commands on a server by sending commands via a network by means of the server software's access rights.
  • Enables installation of backdoors and malware on the server
  • Enables leak of confidential information
  • As a result, a server or an operating system can be hijacked partially or completely.

By controlling a server or an operating system completely, it is possible, for example, to:

  • Harness a server to be used as part of malicious activities
  • Hack the data on the server
  • Utilise the resources on the server for a denial-of-service attack, among others
  • Destroy the data on the server

Utilisation observations

  • There are publicly-available utilisation methods for the vulnerability (example commands)
  • HAVARO has observed scanning of vulnerable servers

Possible solutions and restrictive measures

  • Update Bash to the latest version in accordance with instructions issued by the vendor

Further information

The vulnerability has been in an older version of Bash. It has been estimated that the vulnerability has existed for approximately 25 years. All the platforms that are in current use and that use Bash are possibly vulnerable, excluding the latest updated version. The vulnerability is related to the manner in which Bash handles environment variables, which enables that commands including a variable formulated in a certain way can be executed by means access rights of a service that is being utilised. Examples of the services that can be exposed to the utilisation are web services that contain software code handling dynamic content.

The latest version of Bash protects now against detected utilisation methods. Therefore, users and maintainers are recommended to immediately update the command language interpreter to the latest software version. The first patch for the vulnerability (identifier CVE-2014-6271) was published on 25 September 2014. In addition to repairing the vulnerability, the patch creates a new vulnerability (identifier CVE-2014-7169). The patch published on 26 September 2014 repairs both the original vulnerability and the new vulnerability created by the temporary patch.

Workstation users can often protect themselves against these kinds of vulnerabilities by making sure that the workstation does not have any services that are visible to public networks and that listen on networks. These services enable that malicious content can be fed into the command language interpreter found on the workstation. However, the vulnerability may also concern some client software that are on workstations and that enable that Bash environment variables can be set on the basis of the feed coming from the network. For this reason, the update patch should be installed without delay on workstations, too.

Verifying the vulnerability CVE-2014-6271

The system maintainer can verify the vulnerability in its system by running the following command in the command language interpreter:

x='() { :;}; echo VULNERABLE' bash -c :

If the command returns the text VULNERABLE, the system is vulnerable.

If the command does not return anything, or it returns the reply

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

the system is not vulnerable.

Verifying the vulnerability CVE-2014-7169

The system maintainer can verify the vulnerability in its system by running the following command in the command language interpreter:

cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo

If the command returns a reply that ends with the time when the command has been performed, e.g. Sat 27 Sept 2014 20:15:37 EEST, the system is vulnerable. Note! The command creates and overwrites a file called echo in the folder /tmp/.

If the command returns the line 'date' in the reply, the system is not vulnerable.

For further information on the case, please contact cert@ficora.fi.

Further information on the alert


Update history


Key words: Information security, Botnet, Data break-in, Denial-of-service attack, Malware, NCSC-FI, Network equipment, Vulnerability coordination, Alerts


Annexes:


LinkedIn Print