"ShellShock" - what are you doing?

Mike Kerner MikeKerner at roadrunner.com
Thu Sep 25 15:44:24 EDT 2014 

Here's the email I just got from CERT:

[image: NCCIC / US-CERT]

National Cyber Awareness System:
TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability
(CVE-2014-6271,CVE-2014-7169)
<https://www.us-cert.gov/ncas/alerts/TA14-268A>
09/25/2014 12:56 PM EDT

Original release date: September 25, 2014
Systems Affected

   - GNU Bash through 4.3.
   - Linux, BSD, and UNIX distributions including but not limited to:
      - CentOS
      <http://lists.centos.org/pipermail/centos/2014-September/146099.html> 5
      through 7
      - Debian
      <https://lists.debian.org/debian-security-announce/2014/msg00220.html>
      - Mac OS X
      - Red Hat Enterprise Linux 4 through 7
      - Ubuntu <http://www.ubuntu.com/usn/usn-2362-1/> 10.04 LTS, 12.04
      LTS, and 14.04 LTS

Overview

A critical vulnerability has been reported in the GNU Bourne Again Shell
(Bash), the common command-line shell used in most Linux/UNIX operating
systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely
execute shell commands by attaching malicious code in environment variables
used by the operating system [1]
<http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>.
The United States Department of Homeland Security (DHS) is releasing this
Technical Alert to provide further information about the GNU Bash
vulnerability.
Description

GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands
placed after function definitions in the added environment variable,
allowing remote attackers to execute arbitrary code via a crafted
environment which enables network-based exploitation. [2
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>, 3
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>]

Critical instances where the vulnerability may be exposed include: [4
<https://access.redhat.com/security/cve/CVE-2014-6271>, 5
<http://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>
]

   - Apache HTTP Server using mod_cgi or mod_cgid scripts either written in
   bash, or spawn subshells.
   - Override or Bypass ForceCommand feature in OpenSSH sshd and limited
   protection for some Git and Subversion deployments used to restrict shells
   and allows arbitrary command execution capabilities.
   - Allow arbitrary commands to run on a DHCP client machine, various
   Daemons and SUID/privileged programs.
   - Exploit servers and other Unix and Linux devices via Web requests,
   secure shell, telnet sessions, or other programs that use Bash to execute
   scripts.

Impact

This vulnerability is classified by industry standards as “High” impact
with CVSS Impact Subscore 10 and “Low” on complexity, which means it takes
little skill to perform. This flaw allows attackers to provide specially
crafted environment variables containing arbitrary commands that can be
executed on vulnerable systems. It is especially dangerous because of the
prevalent use of the Bash shell and its ability to be called by an
application in numerous ways.
Solution

Patches have been released to fix this vulnerability by major Linux vendors
for affected versions. Solutions for CVE-2014-6271 do not completely
resolve the vulnerability. It is advised to install existing patches and
pay attention for updated patches to address CVE-2014-7169.

Many UNIX-like operating systems, including Linux distributions, BSD
variants, and Apple Mac OS X include Bash and are likely to be affected.
Contact your vendor for updated information. A list of vendors can be found
in CERT Vulnerability NoteVU#252743 <http://www.kb.cert.org/vuls/id/252743>
[6] <http://www.kb.cert.org/vuls/id/252743>.

US-CERT recommends system administrators review the vendor patches and the
NIST Vulnerability Summary for CVE-2014-7169
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>, to
mitigate damage caused by the exploit.
References

   - Ars Technica, Bug in Bash shell creates big security hole on anything
   with *nix in it;
   <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
   - DHS NCSD; Vulnerability Summary for CVE-2014-6271
   <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>
   - DHS NCSD; Vulnerability Summary for CVE-2014-7169
   <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>
   - Red Hat, CVE-2014-6271
   <https://access.redhat.com/security/cve/CVE-2014-6271>
   - Red Hat, Bash specially-crafted environment variables code injection
   attack
   <https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>
   - CERT Vulnerability Note VU#252743
   <http://www.kb.cert.org/vuls/id/252743>

Revision History

   - September 25, 2014 - Initial Release

------------------------------

More information about the use-livecode mailing list