Reference: CERT-EU Security Advisory 2014-137 - BASH Vulnerability Short Summary - ------------- GNU BASH is prone to remote code execution vulnerability. Vulnerable GNU BASH versions processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code. UPDATE: Additional two new vulnerabilities (CVE-2014-6277 and CVE-2014-6278) have been additionally discovered in BASH. Newest patches also resolve these new vulnerabilities. Bugtraq ID 70103 CVE CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278 Published Sep 24 2014 Remote Yes Local Yes Ease Exploits Available CVSS Version 2 Scores CVSS2 Base 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) Impact - ------ An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Depending on the configuration, exploits are possible without any form of authentication. Remote exploits are possible and currently available. Technical Description - --------------------- The vulnerability lies in the BASH shell interpreter and allows an attacker to append system level commands to the bash environment variables. One type of command that can be sent to BASH allows environment variables to be set. Environment variables are dynamic, named values that affect the way processes are run on a computer. The vulnerability lies in the fact that an attacker can tack-on malicious code to the environment variable, which will run once the variable is received. The most likely route of attack is through Web servers utilizing CGI (Common Gateway Interface), the widely-used system for generating dynamic Web content. An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. Because the server uses BASH to interpret the variable, it will also run any malicious command tacked-on to it. Aside from Web servers, other vulnerable devices include Linux-based routers that have a Web interface that uses CGI. In the same manner as an attack against a Web server, it may be possible to use CGI to exploit the vulnerability and send a malicious command to the router. Other potential service that have been identified to be possibly used in an attack include ssh, dhcp, cups, postfix. Others may be identified in the future. Solutions - --------- As it is quite difficult to reliably assess which systems may be vulnerable due to their specific configuration, it is recommended to patch BASH on all systems. Patches are being prepared by most vendor - please refer to your specific vendor for details. Please note that initial patches for CVE-2014-6271 were not completely effective, which resulted in the additional vulnerability CVE-2014-7169. UPDATE: Updated patches are available and have or should shortly be made available by the vendors - keep monitoring the information from your specific vendors for details of any additional patches required. UPDATE: A list of known vendors offering patches: Cisco : http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-= sa-20140926-bash Checkpoint : https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGov= iewsolutiondetails=3D&solutionid=3Dsk102673 Juniper : http://kb.juniper.net/InfoCenter/index?page=3Dcontent&id=3DJSA10648&actp=3D= RSS Oracle: http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675= .html Bluecoat : https://kb.bluecoat.com/index?page=3Dcontent&id=3DSA82 McAfee : https://kc.mcafee.com/corporate/index?page=3Dcontent&id=3DSB10085 RSA : https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=3Da67980 NETASQ : http://www.stormshield.eu/en/avis-de-securite/stormshield-network-security-= vous-protege-de-shellshock/ ; http://static.arkoon.net/corporate/STORM-2014-01-EN.PDF WatchGuard : http://customers.watchguard.com/articles/Article/Are-WatchGuard-products-af= fected-by-the-Bash-or-Shellshock-vulnerability Vordel : https://support.axway.com/en/admin/kbadmin/article-details/id/176460 F5: http://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html Apple OS X bash Update 1.0: http://support.apple.com/kb/HT6495 Barracuda Networks products: https://www.barracuda.com/support/techalerts cPanel: http://cpanel.net/cpanel-security-team-bash-cve-2014-6217-and-cve-2014-7169= / VMWARE: http://www.vmware.com/security/advisories/VMSA-2014-0010.html UPDATE: An extensive list of vendors may be found also on US-CERT website: http://www.kb.cert.org/vuls/byvendor?searchview&Query=3DFIELD+Reference=3D2= 52743&SearchOrder=3D4 If a system cannot be patched for any reason, a configuration of that system should be carefully reviewed to see if it may be vulnerable. Several different services may use BASH shell internally, so it is not straight forward to identify them. Solutions may include reconfiguring existing services, using different shell (e.g., SH, ASH, CSH, DASH, etc.), disabling services, etc. Additionally deploying application firewalls with specific rules designed to block attempted attacks may help. Vulnerable Systems - ------------------ Any systems running BASH shell are potentially vulnerable. The exact level of vulnerability depends strongly on the services enabled and specific configuration. Some vulnerable systems (namely web servers hosting CGI applications) may be identified using publicly available scanners, such as these: http://bashsmash.ccsir.org/ http://shellshock.brandonpotter.com/ http://www.shellshocktest.com/ https://shellshocker.net/ UPDATE: A tool from CrowdStrike has been made available to scan the networks: http://www.crowdstrike.com/community-tools/index.html Note that these scanner most likely produce very large number of false-negatives (i.e., they do not find a lot of actually vulnerable systems). Systems running other services are potentially also vulnerable. The following rules may be used to discover scanning/exploiting attempts: Suricata format: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:=E2=80=9DPossible CVE-2014-6271 bash Vulnerability Requested (header)=E2=80=9D; flow:established,to_server; content:=E2=80=9D() {=E2=80=9C; http_header; th= reshold:type limit, track by_src, count 1, seconds 120; sid:2014092401;) Snort format alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:=E2=80=9DPossible CVE-2014-6271 bash Vulnerability Requested (header) =E2=80=9C; flow:established,to_server; content:=E2=80=9D() {=E2=80=9C; http_header; th= reshold:type limit, track by_src, count 1, seconds 120; sid:2014092401;) To check the vulnerability directly on hosts, follow for instance a procedure described in Securelist blog post, the Blogspot article or the ZDNet article (see references below). However, whether the vulnerability is actually exposed by the system, depends on its configuration. References - ---------- NVD: CVE-2014-6271 http://web.nvd.nist.gov/view/vuln/detail?vulnId=3DCVE-2014-6271 NVD: CVE-2014-7169 http://web.nvd.nist.gov/view/vuln/detail?vulnId=3DCVE-2014-7169 Securelist: "Bash" (CVE-2014-6271) vulnerability =E2=80=93 Q&A http://securelist.com/blog/research/66673/bash-cve-2014-6271-vulnerability-= qa-2/ ZDNet: Shellshock: Better 'bash' patches now available http://www.zdnet.com/shellshock-better-bash-patches-now-available-700003411= 5/ Blogspot article: http://lcamtuf.blogspot.co.uk/2014/10/bash-bug-how-we-finally-cracked.html CERT-EU (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383