BASH Shell Security Issue

We at INFINIT are always on top of all security threats. This latest threat affects the BASH shell, used by many UNIX and Linux systems.

BASH Vulnerability CVE-2014-6271 Security Brief

OVERVIEW

On 9/24/2014, a vulnerability in BASH (Bourne-Again SHell) was discovered and reported to the National Institute of Standards and Technology (NIST). The vulnerability has been assigned CVE-2014-6271.  BASH is installed on most UNIX and linux systems and is commonly configured as the default shell.

The vulnerability takes advantage of how BASH processes environment variables to execute commands on the target system. Environment variables can be set through any method available which allows the attacker to interact or pass input to BASH.

RISK – HIGH

The system is vulnerable through authenticated or brute forced SSH/telnet sessions and via exposed web libraries (CGI, Python, Perl, etc) that are configured to pass input to a shell script which uses BASH as the interpreter. The vulnerability is remotely exploitable via the Internet if any of these services are exposed to the Internet. Common ports for web services include 80, 8080, 443, however many web management interfaces are configured to use custom ports. Please check with your vendor configuration documentation to determine which port your service uses.

Exploits for this vulnerability have been published and are easily obtainable. The vulnerability is not limited to “Servers”. Appliances and devices with a web interface or exposed shell interfaces are also vulnerable. Examples include: Web Management interfaces for appliances and devices such as IP Phones, Network Attached Storage Devices, Wireless Routers with Web Interfaces, and other web services.

ACTIONS AND REMEDIATIONS

It is recommended to patch BASH at the earliest possibility. Please check with your Operating System and Vendor websites for patch availability. Most popular Operating Systems such as CentOS, Ubuntu, and Redhat have already released patches for this vulnerability.  Any appliances and virtual appliances running UNIX or linux may be vulnerable as well so please include them in any testing and patching conducted.

CRITICALITY

CVSS Score

10 (HIGH)

Impact Score

10

Exploitability Score

10

Exploits Available?

Yes

Remotely Exploitable?

Yes

REFERENCES

Redhat Security Blog

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

NIST CVD Listing

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

Redhat Resolution Post

https://access.redhat.com/solutions/1207723

CentOS Post

http://lists.centos.org/pipermail/centos/2014-September/146099.html

Novell Post

http://support.novell.com/security/cve/CVE-2014-6271.html

Manual Method for Testing If Your Operating System is Vulnerable

http://www.volexity.com/blog/?p=19

Technical Information About the Vulnerability

http://seclists.org/oss-sec/2014/q3/650

UPDATE

Test here to see if you are vulnerable: https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-shellshock-bash-vulnerability