ADVISORY: Remote code execution through bash (CVE-2014-6271)
Friday, September 26, 2014
Vulnerabilities in multiple versions of bash continue to be identified. IIA recommends applying patches for these vulnerabilities as the patches become available from vendors. The links below provide information:
- Alert (TA14-268A) GNU Bourne-Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169)
- Vulnerability Summary for CVE-2014-7169 (National Vulnerability Database)
- Frequently Asked Questions about the Shellshock Bash flaws (Red Hat Security Blog)
Update as of 4:25 p.m., 9/25/14
See Alert (TA14-268A) GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169) from US-CERT for additional information.
Update as of 1:20 p.m., 9/25/14
Machines running web servers or allowing other types of incoming network connections from the Internet appear to be most at risk. There is some risk to end-user computers through vectors such as rogue DHCP servers, but exploitation is more difficult than for web servers.
Servers should remain a higher priority for patching. End-user linux and Mac machines should be patched as soon as vendor patches are available.
Be aware that you will need to patch more than once. A second, related vulnerability has been identified. It is important to apply the available patches for the protection they provide, but it will also be important to apply additional patches as they become available.
The information below was sent to the U-M IT Security Community and other IT staff groups September 24, 2014.
This message is intended for U-M IT staff who are responsible for maintaining and running university servers. A security vulnerability was announced today that requires immediate remediation. Please read the advisory below to see if servers for which you are responsible are affected and take action if appropriate.
Summary
A vulnerability in bash could allow an attacker to execute arbitrary commands on a server, which could result in exposure of sensitive information or negative impact to critical services. (See below for definition of bash.)
Problem
Details and sample exploits for the bash vulnerability have been made publicly available. Any service running on a system with a vulnerable version of bash may be susceptible to attack.
Threats
Exploit code is publicly available. IIA has confirmed that the vulnerability can be used to execute arbitrary commands on vulnerable systems. Because exploitation is simple, widespread exploitation is expected to occur quickly.
Affected Systems
Any system that uses a vulnerable version of bash. This includes most linux, Apple, and other unix-like operating systems. The most likely target for exploitation appears to be web servers, but other services may also be affected (such as ssh).
Detection
IIA will not be scanning campus networks to identify vulnerable systems because a reliable method for remotely detecting vulnerable systems is not available.
Action Items
Apply vendor patches as soon as possible to vulnerable systems (see references below). Web servers that are accessible from the Internet should be prioritized. Servers that allow any other form of access from the Internet should also be patched quickly. An accelerated process for patching all systems that use bash should be considered, regardless of the services provided by the systems and regardless of whether the systems are directly accessible from the Internet.
Technical Details
Vulnerable versions of bash do not properly parse function definitions that are a part of environment variables. By appending additional commands at the end of a function definition, an attacker can cause bash to run those additional commands. Services such as web servers set environment variables when running external commands, such as CGI scripts. An attacker can cause the server to run a command by creating a fake bash function definition and embedding it within data that the web server will use in an environment variable.
Questions, Concerns, Reports
Please contact [email protected].
References
- Vulnerability Summary for CVE-2014-6271
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 - CVE-2014-6271: remote code execution through bash
http://seclists.org/oss-sec/2014/q3/650 - Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
https://access.redhat.com/articles/1200223 - Resolution for Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) in Red Hat Enterprise Linux
https://access.redhat.com/solutions/1207723 - Bash specially-crafted environment variables code injection attack
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ - Debian information about CVE-2014-6271
https://security-tracker.debian.org/tracker/CVE-2014-6271
ABOUT BASH: Bash is a unix shell. A Unix shell is basically a user interface to a system running some form of Unix-like operating system. Bash typically runs in a text window where the user can type commands, but is also frequently used when services such as web servers run scripts or programs on a server. For more information, see the Wikipedia entries for Bash (Unix shell) and Unix shell.