Unix/Linux Bash: Critical security hole uncovered and it seems to be all around in the news. The claim is that popular Linux and Unix shell has a serious security problem that means real trouble for many web servers. Let’s check the facts fist, is this real from some reliable source. There is Vulnerability Summary for CVE-2014-6271 (and updates) so this is real:
“GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment.”
This means that the flaw involves how Bash evaluates environment variables. With specifically crafted variables, a hacker could use this hole to execute shell commands. The vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked.
Does not look good. The repost says that there are vectors involving OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations.RedHat has an extended list of situations that involve Bash in a remote context.
Remember Heartbleed? If you believe the hype today, Shellshock is in that league. The claims that Bash bug as big as Heartbleed seem to be some real justification for that:
The first reason is that the bug interacts with other software in unexpected ways. An enormous percentage of software interacts with the shell in some fashion.
This bash bug has been around for a long, long time. The vulnerability affects versions 1.14 through 4.3 of GNU Bash. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.
It’s things like CGI scripts that are vulnerable, deep within a website. Nobody knows how many of them are in use and where. For many Unix or Linux Web servers, it’s a major problem. The root of the problem is that Bash is frequently used as the system shell. Thus, if an application calls a Bash shell command via web HTTP or a Common-Gateway Interface (CGI) in a way that allows a user to insert data, the web server could be hacked. Is pretty ‘point and click’ simple to attack. Shellshock Bash Vulnerability Online Checkers Available.
This is not only Linux problem. This problem could allow attackers to execute code on Linux, Unix, and Mac OS X.
Internet-of-things devices like video cameras and some SCADA/ICS devices are especially vulnerable because a lot of their software is built from web-enabled bash scripts.They are less likely to be patched. It’s embedded webserves on odd ports that are the real danger.
Bash ‘shellshock’ bug is wormable article says that this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems. Bash bug fallout: Shell Shocked yet? You will be … when this becomes a worm article says that experts warn much carnage to come.
Much of the impact of the Shell Shocked vulnerability is unknown and will surface in the coming months as researchers, admins and attackers (natch) find new avenues of exploitation. It’s not just web, but there are other services that are vulnerable, such as the DHCP service reported in the initial advisory. This is the sort of exploit that will be lurking around in all various and sundry sorts of software, both local and remote.
How can I test the system vulnerability?
First you can lock into your Linux system and run the following command to see the version of the bas you have:
Red Hat recommends to use the following command to check bash version:
rpm -qa bash
Bug in Bash shell creates big security hole on anything with *nix in it article has simple shell test command (which I could not get working as expected). How do I recompile Bash to avoid the remote exploit CVE-2014-6271 and CVE-2014-7169? discussion has test code that seems to work. It used the same idea as in Fedora test code
CVE-2014-6271 / Shellshock & How to handle all the shells!article has one test code. Everything you need to know about the Shellshock Bash bug article has some web request example. Bash ‘shellshock’ scan of the Internet has some example configuration.
There are Shellshock Bash Vulnerability Online Checkers Available, for example CVE-2014-6271/CVE-2014-7169 tes page.
What can you do?
Unix/Linux Bash: Critical security hole uncovered article tells that first you should sanitize the web applications’ inputs. If you’ve already done this against such common attacks as cross-site scripting (XSS) or SQL injection, you’ll already have some protection. Akamai’s recommendation is to switch “away from using Bash to another shell” if possible (the problem could be that alternative shell will not use exactly the same syntax and it may not have all the same features).
Because bash is the system shell other services are in danger. OpenSSH is also vulnerable via the use of AcceptEnv variables, TERM, and SSH_ORIGINAL_COMMAND. However, since to access those you already need to be in an authenticated session, you’re relatively safe. Consider limiting SSH access if you have many users. Switching to zsh only helps if you also removed bash and sh from your system.
Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169) article gives some tips for temporary work-around for web services using mod_security and IPtables.
The real fix will be to replace the broken Bash with a new, secure one. This means lots of work for many administrators to install update. Bash’s developers have patched all current versions of Bash, from 3.0 to 4.3. Most people invest heavily in Windows patching and are utterly awful at patching Linux. Your Linux systems need to apply this patch. Patches have been issued by many of the major Linux distribution vendors for affected versions. You have also option to recompile Bash to avoid the remote exploit CVE-2014-6271 and CVE-2014-7169 because this is open source software. Fedora has instructions how to download and compile. You will need to patch ASAP.