The “Shellshock” vulnerability in Bash
16:20 CET on the 25th September 2014
Secunia has currently written 1 Secunia Advisory for the GNU Bash Shell Function Definitions OS Commands Injection Vulnerability (CVE-2014-6271), popularly referred to as the “Shellshock bug”: http://secunia.com/advisories/61541.
The vulnerability has received the Secunia rating “Highly Critical” and the current solution status is unpatched, as the previously released patches are reported to be ineffective.
There will be additional advisories issued for products bundled with Bash as their status becomes verified.
The impact of the vulnerability in Bash is that it can be exploited to effectively take over your systems. Reportedly, Bash is currently being exploited in limited attacks in the wild.
What is Shellshock?
The vulnerability is caused due to an error when parsing shell function definitions passed via environment variables and can be exploited to e.g. execute arbitrary shell commands via a specially crafted environment variable value passed to a CGI script via certain HTTP headers.
There are multiple attack vectors for Bash, because a lot of organizations will be using Bash in different parts of their systems, and presumably many old devices on networks will be vulnerable.
GNU, the Open Source project that has developed Bash, is a large and widely used project and should have the resources available to deal with the issue. They have in fact already released a patch – unfortunately it has proved ineffective, and there is therefore no official patch available at this stage. We are, however, expecting GNU Bash to release another patch today due to the criticality of this vulnerability. But the fact that the first patch wasn’t adequate, could indicate that they lack proper security quality assurance of their patches.
Worse than Heartbleed?
Compared to Heartbleed, the vulnerability in OpenSSL from earlier this year, the vulnerability in Bash is worse: Heartbleed “only” enabled hackers to extract information. The vulnerability in Bash enables hackers to execute commands to take over your servers and systems.
We have only seen the tip of the iceberg so far, and only the most obvious attack vectors. Secunia will continuously follow this, and update our advisories as new information becomes available.