October 6, 2014

Threat Update: BASH Vulnerability

What is the vulnerability?

Akamai security researcher, Stephane Chazelashas, has discovered a critical vulnerability in the command-line shell known as BASH, or GNU Bourne-again Shell, the most widely deployed shell for Unix-based systems. The vulnerability has had several variations and now uses CVE identifiers CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187 and is being referred to as “Shellshock”.

While BASH is deployed in many systems, including Linux, Debian, Ubuntu, Mac OS X, Android, and has even been ported to Windows, nearly all BASH implementations are vulnerable to the Shellshock bug. However, there are numerous variables required for exploitation to be successful.

Although Shellshock won’t affect as many devices as Heartbleed (discovered earlier this year), the consequences could be much more severe. This is because the BASH vulnerability allows hackers to remotely execute commands, rather than just steal information from servers.

Most at risk to this bug are businesses (of any size), in particular website owners, as Shellshock may allow access to sensitive data and provide attackers with a foothold on their network. It is recommended that enterprise organizations with a large online presence stay well informed of the BASH vulnerability and any patches that become available. Neglected systems, or systems that don’t get updated regularly most likely won’t receive the necessary patches to fix these vulnerabilities.Herjavec Group recommends the application of available patches immediately, regardless of how exposed the application is to the internet.

What is the exploit?

A vulnerability exists when creating an environment variable in BASH. The vulnerability occurs when a function is defined in an environmental variable and BASH continues to process the strings after the function is set. An attacker can use this method to make BASH run commands maliciously.

Some of the major attack vectors that have been identified in this case are:

  • HTTP requests
  • Apache server using mod_cgi or mod_cgid scripts that are either written in BASH, or spawn subshells.
  • Remotely connect to a service such as FTP, SSH, etc.
  • Scripts executed by unspecified DHCP clients

How to check if you’re vulnerable

Although vendors have been releasing patches for the various Shellshock variations, the list of confirmed CVE’s keeps growing! As listed on ShellShocker.net, there are currently six different methods that can be used to exploit BASH. Some of these methods allow for code to be executed, while some are limited to simply crashing the BASH shell; However all Shellshock related CVE’s are all rated with the highest possible severity (10) for Impact and Exploitability by NIST and therefore should all be treated equally.

As seen in our previous Shellshock Notice, below are some sample commands that can be used to test the various applications in your environment. Please open a terminal and paste the below commands.

CVE-2014-6271

env x='() { :;}; echo vulnerable to CVE-2014-6271′ bash -c “echo ‘hello'”

If vulnerable, the text “vulnerable to CVE-2014-6271” will appear.

CVE-2014-6277

bash -c “f() { x() { _;}; x() { _;} <<a; }” 2>/dev/null || echo “vulnerable to CVE-2014-6277”

If vulnerable, the text “vulnerable to CVE-2014-6277” will appear.

CVE-2014-6278

shellshock='() { echo vulnerable to CVE-2014-6278; }’ bash -c shellshock

If vulnerable, the text “vulnerable to CVE-2014-6278” will appear.

CVE-2014-7169

env X='() { (a)=>\’ bash -c “echo echo vulnerable to CVE-2014-7169” > /dev/null; cat echo; rm ./echo

If vulnerable, the text “vulnerable to CVE-2014-7169” will appear.

CVE-2014-7186

bash -c ‘true <

If vulnerable, the text “CVE-2014-7186 vulnerable, redir_stack” will appear.

CVE-2014-7187

(for x in {1..200} ; do echo “for x$x in ; do :”; done; for x in {1..200} ; do echo done ; done) | bash || echo “CVE-2014-7187 vulnerable, word_lineno”

If vulnerable, the text “CVE-2014-7187 vulnerable, word_lineno” will appear.

All security partners are now aware of this vulnerability and are in the midst of researching methods of prevention (patch or block) and detection. Herjavec Group will engage our existing customers once updates for their security product(s) are confirmed.

Available Patches

Based on US-CERT site the following Operating systems have updates released for:

Updates from Our Partners




*By selecting one of the communications above, you consent to Herjavec Group
sending commercial electronic messages to you for marketing purposes,
including information about the products, services and events selected.