Advisories

pdf version

Critical Vulnerability in the Bourne Again Shell (BASH) aka ShellShock

The GNU Bash shell contains a critical vulnerability that potentially allows remote code execution by an unauthenticated user. Many Unix-based operating systems are affected, including Linux and MacOSX. Other systems that include Bash, such as embedded industrial control systems, are also known to be affected. Automated malicious activity targeting this vulnerability has been publicly reported.
 

Recommendations

CERT Australia recommends the following defensive measures:

  • Patch affected Internet facing systems at the earliest opportunity, and monitor vendor advisories for further updates.

  • Be aware that details relating to the vulnerability and its exploitation are rapidly evolving and should be closely monitored.

  • Work closely with security vendors to determine if they have effective detection and mitigation strategies, and application vendors to determine which products are affected.

  • Internet facing systems should be closely monitored for related activity and detected incidents should be reported to CERT Australia.

  • Follow good cyber security practices to secure internet connected devices:

    • Block unnecessary inbound traffic at the firewall

    • Disable unnecessary services running on devices

    • If running web server software, ensure it runs from low privilege accounts

    • Filtering input to websites, through a Web Application Firewall, can also help to limit impact

    • Ensure logging and auditing functionality is enabled and actively monitored

Details

Bash is a widely used program included by default on many non-Windows operating systems including Unix, Linux and MacOSX as well as in embedded systems ranging from home routers to industrial controllers. Versions of Bash released from as early as 1995 (version 1.14) and onwards are affected. The Bash shell is a general purpose interface to Unix-like operating systems and is utilised by a wide range of applications including, for example, web servers, remote login services such as SSH and DHCP client software which interacts with a remote service to configure a device’s network settings. All applications which utilise Bash are potentially affected by this vulnerability.

Multiple vulnerabilities in Bash have been identified, including the initial vulnerability (CVE-2014-6271) which was incompletely patched leading to the discovery of a further vulnerability (CVE-2014-7169). With the increased attention on Bash, further vulnerabilities have been discovered including (CVE-2014-7186, CVE-2014-7187 and CVE-2014-6277). Those affected should continuously monitor for updates and apply them as they become available.
 

Improper Input Validation (CVE-2014-6271)

Bash versions up to 4.3 process commands placed after function declarations that are assigned to environment variables. The vulnerability allows remote attackers to execute arbitrary commands by crafting a specially formatted environment variable. This vulnerability potentially affects all applications which invoke a Bash shell, including Apache servers that use CGI, OpenSSH, DHCP client scripts, to name only a few.

To verify if a system is affected by this vulnerability execute the following command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will output the following:

vulnerable

this is a test

An unaffected (or patched) system will output:

bash: warning: x: ignoring function definition attempt

bash: error importing function definition for 'x' this is a test or simply; this is a test
 

Improper Input Validation (CVE-2014-7169)

The patch that was released to address CVE-2014-6271 was incomplete. Functions declared in environment variables could still be manipulated to achieve unintended command execution.

To verify if a system is affected by this vulnerability execute the following command:

env X='() { (teststring)=>\' bash -c "echo date"; cat echo ; rm -f echo

A vulnerable system will output todays date:

eg. Mon Sep 29 12:46:52 EST 2014 (it may also show errors).

An unaffected (or patched) system will output the word "date" instead of the actual date (it may also show errors).
 

Improper Input Validation (CVE-2014-7186)

The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue.

To verify if a system is affected by this vulnerability execute the following command:

bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"

A vulnerable system will output the following:

CVE-2014-7186 vulnerable
 

Improper Input Validation (CVE-2014-7187)

An off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue.

To verify if a system is affected by this vulnerability execute the following command:

(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"

A vulnerable system will output the following:

CVE-2014-7187 vulnerable
 

Improper Input Validation (CVE-2014-6277)

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.

To verify if a system is affected by this vulnerability execute the following command:

foo='() { echo not patched; }' bash -c foo

A vulnerable system will output the following:

not patched
 

Resources

Further details about this vulnerability:

Affected products list