The “Shellshock” vulnerability in Bash

Update, October 3: vulnerabilities in Bash:

The discovery of the Shellshock vulnerability has opened up Bash like a can of worms, with the ensuing discovery of several other vulnerabilities and rumors of more.

With the vulnerabilities come a host of official and unofficial patches with varying degrees of efficiency across a number of affected product vendors, including Linux distributions, Apple and IBM.

It is, in a word, chaotic.

We recommend that System Administrators stay alert and keep up continuous patching, mitigating, verifying; patching, mitigating, verifying; patching, mitigating, verifying … you get the idea.

Secunia continues to publish assessed Advisories on the vulnerabilities in Bash.

Keep track:

Update, September 30: The “Shellshock” vulnerability in Bash

Since the first vulnerability in Bash was disclosed and the first patch was released, a number of unofficial patches have been released, and several additional vulnerabilities have been discovered in Bash.
Only two vulnerabilities in Bash have official patches at this stage:
CVE-2014-6271 and CVE-2014-7169

Update, Sept 26: The “Shellshock” vulnerability in Bash

To date, Secunia has published 9 Secunia Advisories for products affected by Shellshock.

On September 25 patches were released by a number of vendors, including Debian and Red Hat. Unfortunately, they appeared to be incomplete, and therefore ineffective. Red Hat and Debian have therefore pushed new patches earlier today.

GNU Bash is expected to release official new patches today, Friday 26, to replace the original one that proved ineffective.

Secunia will continuously update our advisories as new information becomes available. If you are a member of the Secunia Community, you can keep track of Bash related Secunia Advisories
and here:

The “Shellshock” vulnerability in Bash

16:20 CET on the 25th September 2014

Secunia has currently written 1 Secunia Advisory for the GNU Bash Shell Function Definitions OS Commands Injection Vulnerability (CVE-2014-6271), popularly referred to as the “Shellshock bug”:

The vulnerability has received the Secunia rating “Highly Critical” and the current solution status is unpatched, as the previously released patches are reported to be ineffective.
There will be additional advisories issued for products bundled with Bash as their status becomes verified.

The impact of the vulnerability in Bash is that it can be exploited to effectively take over your systems. Reportedly, Bash is currently being exploited in limited attacks in the wild.

What is Shellshock?
The vulnerability is caused due to an error when parsing shell function definitions passed via environment variables and can be exploited to e.g. execute arbitrary shell commands via a specially crafted environment variable value passed to a CGI script via certain HTTP headers.
There are multiple attack vectors for Bash, because a lot of organizations will be using Bash in different parts of their systems, and presumably many old devices on networks will be vulnerable.

What next?
GNU, the Open Source project that has developed Bash, is a large and widely used project and should have the resources available to deal with the issue. They have in fact already released a patch – unfortunately it has proved ineffective, and there is therefore no official patch available at this stage. We are, however, expecting GNU Bash to release another patch today due to the criticality of this vulnerability. But the fact that the first patch wasn’t adequate, could indicate that they lack proper security quality assurance of their patches.

Worse than Heartbleed?
Compared to Heartbleed, the vulnerability in OpenSSL from earlier this year, the vulnerability in Bash is worse: Heartbleed “only” enabled hackers to extract information. The vulnerability in Bash enables hackers to execute commands to take over your servers and systems.

We have only seen the tip of the iceberg so far, and only the most obvious attack vectors. Secunia will continuously follow this, and update our advisories as new information becomes available.

Leave a Reply

Your email address will not be published. Required fields are marked *