Update as of September 29, 10:00am EDT:
Operating systems/distros have continued to release patches to address various implementations of the bash issue. There are at least 5 CVEs now associated with variants of the Shellshock vulnerability:
CVE-2014-6271
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
CVE-2014-6277
Proof of concept code as well as other ways to test if your systems are vulnerable are located here: https://github.com/mubix/shellshocker-pocs
The list of products confirmed vulnerable to some form of Shell Shock continues to grow. Fortunately for most consumers, however, the attack vectors continue to be complex if the proper precautions are taken (i.e., keeping systems updated, limiting the amount and type of services exposed to the Internet, and practicing secure identity and access management).
Attempts to exploit this vulnerability have skyrocketed over the weekend, with thousands of reports of Web servers being scanned for the presence of Shell Shock. Attack vectors via HTTP continue to be the most prevalent, with applications utilizing CGI being most at risk. Over the weekend, the popular server management front-end cPanel was found to be vulnerable. More information can be found here: http://blog.sucuri.net/2014/09/bash-vulnerability-shell-shock-thousands-of-cpanel-sites-are-high-risk.html
ControlScan recommends that all customers continue to closely monitor the situation. While most customers’ externally-facing systems will not be vulnerable, the situation continues to develop and organizations should have already started to assess systems to determine those that are potentially vulnerable. As always, customers should apply patches from vendors as soon as they are available and continue to monitor server activity and logs for suspicious behavior.
Update as of September 26, 10:00 a.m. EDT:
As of this morning, we’re not seeing a lot of new information on how to successfully mitigate the shell shock bash bug. We do know for certain, however, that hackers are leveraging shell shock in the wild: http://www.wired.com/2014/09/hackers-already-using-shellshock-bug-create-botnets-ddos-attacks/
Mostly, people are reporting various specific software packages as vulnerable (for example, Qmail is now believed to be vulnerable).
Certain implementations of the DHCP network protocol also appear to be affected: https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/. It appears that additional fields available to DHCP which allow strings can be used to pass the exploit. In the linked demonstration, field 114 is set to a malicious string which, on Linux systems, gets passed as an environment variable to – you guessed it: bash. This is bad because most client workstations/computers are configured to use DHCP, and DHCP negotiations occur automatically behind the scenes once a device is connected via Ethernet. In other words, if you’re using a susceptible Linux system, it seems trivial to trigger shellshock via this attack vector.
Update for Mac users: Early this morning, Apple released a statement saying “The vast majority of OS X users are not at risk to recently reported bash vulnerabilities”: http://www.cnet.com/news/vast-majority-of-os-x-users-safe-from-bash-shellshock-bug-apple-says/
According to Krebs on Security, the U.S.-CERT’s advisory includes a simple command line script that Mac users can run to test for the vulnerability:
To check your system from a command line, type or cut and paste this text:
env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
If the system is vulnerable, the output will be:
vulnerable
this is a test
An unaffected (or patched) system will output:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test
Update as of September 25, 9:00 a.m. EDT:
A new CVE has been issued for post-patch implementations which are still “brittle” and could be affected:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
The bash bug is going to affect a large amount of unknown device types from consumer routers to embedded systems within all manner of products like UPS backups, SANs, and who knows what else. Security vendors are working quickly to release checks for the flaws and many providers already have something in place. As far as product vendors, that will probably take longer and systems could potentially remain unpatched for some time. The biggest challenge will be for organizations whose web servers rely on CGI via PHP applications. Those applications will need to be assessed and retro-fitted on an individual basis and then tested to ensure they don’t break functionality. This will be time consuming and potentially hard work for a lot of organizations to even identify whether this is in use.
This morning, we have reports of self-propagating worms/botnets utilizing shellshock to conduct DDOS attacks. This is already being observed in the wild and people should be on full alert.
Originally posted information below:
ControlScan has learned of a remote code execution present in the GNU bash application (CVE-2014-6271). ‘bash’ is the default shell environment for most Linux systems in use on the Internet. The application allows users to store custom variables within the environment. When specially crafted variables are passed to bash through shell functions, bash fails to properly halt after processing the function definition, resulting in remote code execution. The vulnerability appears to be most viable when exploited via Internet-facing services which rely on the bash environment. Examples include web servers, mail servers and numerous other services.
The implications of this vulnerability are far-reaching and have the potential to impact a large number of systems. Patches have been made available via the official upstream maintainer of the bash application for all bash versions; however, there are currently reports that the available patches do not fully resolve the issue.
At this time, ControlScan recommends the following:
- Ensure that systems are updated to the latest application versions as they become available
- Ensure that host activity is monitored for anomalies
- Check with IDS/IPS vendors for updated signatures to protect against known attacks
For additional detailed information, consult the following resources:
http://seclists.org/oss-sec/2014/q3/650
https://blog.cloudflare.com/bash-vulnerability-cve-2014-6271-patched/
https://www.debian.org/security/2014/dsa-3032
https://security-tracker.debian.org/tracker/CVE-2014-6271
http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html
http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html
http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html
Stay tuned: We will provide additional updates on the vulnerability’s impact, as well as known patches and workarounds, as they become available.