Oct. 3, 2014

Critical Vulnerability Affects Linux, Unix, and Mac OS X Operating Systems

Last week, a critical vulnerability was released that has the potential to affect many versions of Linux, Unix, and Mac OS X operating systems. Known as Shellshock or Bashdoor, this vulnerability was identified in the GNU Bourne Again Shell (Bash) and, if exploited successfully, could allow an attacker to remotely control the target computer. The National Institute of Standards and Technology (NIST) has ranked this and subsequent related vulnerabilities as high or 10 out of 10 and with a low complexity, which means little skill is required to exploit the code. Bash is a program that numerous applications and services on Unix systems use to execute command lines and scripts. By crafting malicious commands that are executed by the system, an attacker is able to run commands directly on the underlying operating system.

On operating systems that use Bash, programs use a set of values called environment variables that store information they need to run. These variables can include everything from information about the user running the script to places where other scripts can be identified to information stored while the script is running. An issue occurs when an affected program, such as the Apache Web Server or Secure Shell Service, uses Bash to process information. An attacker is then able to set an environment variable that is subsequently executed by the system. Vulnerable Bash versions process commands written after function definitions in environment variables. Successful execution provides the attacker with the ability to execute arbitrary code, potentially allowing remote control of the affected host.

Identifying the Issue
Numerous organizations have given this vulnerability their highest rating, and it is important that organizations assess the potential risk posed to them. Any Linux, Unix, or Mac OS X operating systems running GNU Bash 1.14 through 4.3 currently are believed to be vulnerable. If an organization determines its systems are vulnerable, it should check if any systems allow Bash to be used remotely. The identification commands below can be used to verify vulnerability once suspicions are raised.

For all Unix devices, check for and deploy updates, or contact the vendor to identify if a patch is in progress. Continue to check regularly with vendors for updates on remedies to the issue.

Beyond patching, it is important to limit attackers’ ability to execute Bash commands remotely. If possible, limit what services can be accessed by the Internet. Additionally, multiple IDS/IPS/WAF vendors have implemented signatures that try to identify attempted attacks. Where possible, update to the latest signature releases immediately. Also, monitor for specific traffic patterns on Apache and IDS systems such as “() {” to help detect potential threats early in the process.

Identification Commands
To identify if a system is vulnerable, Unix systems administrators can copy and paste the various commands below into the Unix console and review the output. Organizations can use an executable script that will output specific vulnerable CVEs.

CVE-2014-6271 – This command will generate a message stating the system is vulnerable:
  env X='() { :; }; echo "CVE-2014-6271 vulnerable"' bash -c id

CVE-2014-7169 – This command will create a file named echo in cwd with date in it, if vulnerable:  env X='() { (a)=>\' bash -c "echo date"; cat echo

CVE-2014-7186 – This command will generate a message stating the system is vulnerable:
  bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"

CVE-2014-7187 – This command will generate a message stating the system is vulnerable:
  (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"

CVE-2014-6278 – This command will generate a message stating the system is vulnerable:
  () { _; } >_[$($())] { echo hi mom; id; }

CVE-2014-6277 – This command will throw a segmentation fault if the system is vulnerable:
  () { x() { _; }; x() { _; } <<a; }

For More Information
Raj Chaudhary
  LinkedIn Profile

Lucas Morris
  LinkedIn Profile

Adam Zamora
  LinkedIn Profile

Contact Us
Raj Chaudhary
Leader, Cybersecurity