Bridgeway Insights

Shellshock: Patch now!

Shellshock: Patch now!

Posted by Jason Holloway 25 September 2014

A new vulnerability has been discovered in a common Unix and Linux component, the Bash shell.  This exploit is remotely exploitable and patches have been released for all the major operating systems.

If you run any Unix or Linux systems, we recommend you test for the vulnerability immediately.

Testing for this vulnerability is straightforward.  On a Linux or Unix command line, simply copy and paste the following command to a shell prompt:

env foo='() { :;}; echo -n "is not "' bash -c "echo safe" 

If the command responds with:

is not safe

Then your system is vulnerable. However, your system is patched if your response is this or similar:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for 'x'

The vulnerability has the CVE identifier CVE-2014-6271 (and CVE-2014-7169) and is also known as Shellshock. This affects almost all Linux distributions and many Unix systems as well. You will need to patch as soon as possible.

Especially vulnerable:

  • Apache servers using mod_cgi or mod_cgid are affected if CGI scripts are either written in bash, or spawn subshells. Such subshells are implicitly used by system/popen in C, by os.system/os.popen in Python, system/exec in PHP (when run in CGI mode), and open/system in Perl if a shell is used (which depends on the command string)

  • ForceCommand used in sshd configs to provide limited command execution capabilities for remote users. This flaw can be used to bypass that and provide arbitrary command execution. Some Git and Subversion deployments use such restricted shells. Regular use of OpenSSH is not affected because users already have shell access.

  • DHCP clients invoking shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine.

  • Various daemons and SUID/privileged programs may execute shell scripts with environment variable values set / influenced by the user, which would allow for arbitrary commands to be run.

  • Any other application which is hooked onto a shell or runs a shell script as using bash as the interpreter. Shell scripts which do not export variables are not vulnerable to this issue, even if they process untrusted content and store it in (unexported) shell variables and open subshells.

You may decide that due to the risks posed by this vulnerability, services that cannot be immediately patched (e.g. awaiting a vendor patch) should be disconnected from the internet.

Updated 26 September: Patches for both vulnerabilities are now available for all major *nix OSes.