Shell Shock

Last week an issue with bash was uncovered. The vulnerability looks to have existed for 22 years; GNU versions of bash dating back to version 1.14 and extending to version 4.3 are known to have the issue. The bug has been dubbed “Shell Shock”. It is a possibly on a par with the HeartBleed bug from April this year; potentially it is worse.

Bash is a commonly used shell for many flavours of UNIX, as well as Linux and OS X. Bash is widely used for logins, in particular for applications such as Apache. Scripts that that are written in bash or fork bash shells are likely to be vulnerable. Unfortunately, just changing to another shell (like ksh) is not an easy fix; different shells have different syntax.

The US CERT has detailed several cases where the vulnerability may be exploited. Apart from HTTP servers, CERT also list DHCP client machines, some daemons and SUID programs. CERT also mentions possible exploits via secure shell, telnet and basically any other program that uses bash.

The exploit is quite a simple exploit, and is rated as a High impact. It is low on complexity; an unskilled attacker could use the exploit. Already there are signs that the bug is being exploited. The likely exploit is for attackers to use machines to launch distributed denial of service attacks, using malware installed on the victim machines.

You can check if you are vulnerable by running the following command string:

env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
If you see the output:
vulnerable
this is a test

then your system is vulnerable.

Unfortunately, a patch released Thursday (CVE-2014-6271) turned out to be incomplete. However, a newer patch released Friday resolved the outstanding issues. We recommend application of this patch as soon as possible. The gratifying aspect of this issue has been the speed of vendors to issue patches.

Scott Reeves
MailShark
Free anti-spam service
Free email filter service