Thursday, September 25, 2014

Linux Bash Vulnerability CVE-2014-6271 ("Shellshock")

There is apparently a vulnerability in bash
Vulnerability has been found where variables that control the environment of the Linux system can be sent to the Bash application and when the Bash application starts, the content of the variable will be executed. This vulnerability allows a hacker to inject malicious code that the Bash application will run without validation. In a worst case scenario, this can allow the hacker to gain control of the system.

The bug lies in Bash's handling of environment variables: when assigning a function to a variable, trailing code in the function definition will be executed, leaving the door wide open for code-injection attacks. The vulnerability is exploitable remotely if code can be smuggled into environment variables sent over the network – and it's surprisingly easy to do so.

Systems Affected

Linux (all OS versions containing Bash GNU 4.3 or earlier)
Mac OSX (v10.9.5 and earlier) NOTE: Not confirmed yet but suspected
Freebsd running bash version <= 4.3

Test if your servers is vulnerable:
Execute the following code on bash shell

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

If you get the output “vulnerable” then your system is affected.

Installing update

Most of the distros already patched bash and released an update, install the update using your distro package management system.  A GNU Bashpatch is also available for experienced users and administrators to implement.

I am running couple of latest Ubuntu (Trusty) virtual machines, and when I checked they already released bash updates (4.3-7ubuntu1.1)
sudo apt-get update        # Fetches the list of available updates
sudo apt-get dist-upgrade  # Installs updates

Test after installing update
# env x='() { :;}; echo vulnerable' bash -c "echo this is "
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Bravo the system is now patched and no more worries about bash shellshock :)

No comments:

Post a Comment