A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The vulnerability could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system. For more information about this vulnerability, please see:

• NVD Vulnerability Note CVE-2014-6271
• NVD Vulnerability Note CVE-2014-6277
• NVD Vulnerability Note CVE-2014-6278
• NVD Vulnerability Note CVE-2014-7169
• NVD Vulnerability Note CVE-2014-7186
• NVD Vulnerability Note CVE-2014-7187
• CERT Vulnerability Note VU#252743

Risk

High

Impacted Systems

• Any Linux–based systems (e.g. Red Hat, Ubuntu, Debian) running Bash 4.3 and below
• Any Unix or Unix variant (e.g. Solaris, FreeBSD) running Bash 4.3 and below
• Any appliances running Bash 4.3 and below
• Majority of Mac laptops and desktops

Non-Impacted Systems

• Microsoft Windows operating systems
• Cisco Networking devices (e.g. Switches, Routers, Firewalls)

Recommendation

Apply the patches provided by corresponding system vendors

• All major vendors have already released patches for this vulnerability
• Most patches do not need a reboot

The patches are cumulitive; applying the latest patch covers the vulnerability fixes included in previous patches.

• CVE-2014-6271: Published on Sept 24. First advisory regarding bash vulnerability
• CVE-2014-7169: Published on Sept 24. Addressed the incomplete fix for CVE-2014-6271
• CVE-2014-6277: Published on Sept 27. Addressed the incomplete fix for CVE-2014-6271 and CVE-2014-7169
• CVE-2014-6278: Published on Sept 30. Addressed the incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277
• CVE-2014-7186: Published on Sept 28. Results in memory corruption
• CVE-2014-7187: Published on Sept 28. Not considered to cause any security impact

The following Red Hat page contains the latest links to the CVE, https://access.redhat.com/announcements/1210053.

Vulnerability Checking

• Nessus has released a plugin to check for this vulnerability
• The vulnerability may be checked manually by executing the following at the Bash command:
  If upon running the test below and you receive the following response (in bold), the system is vulnerable:
  $ env ls='() { echo Vulnerable; }' bash -c ls
Vulnerable

  After applying the patch, you should receive the following response (in bold):
  $ env ls='() { echo Vulnerable; }' bash -c ls
Desktop Downloads Pictures Videos Documents Music Public

Exploits

Publicly available exploits are starting to surface

Attack Vectors

The following are the primary attack vectors:

• SSH
• ForceCommand feature in OpenSSH sshd
• mod_cgi and mod_cgid modules in the Apache HTTP Server
• scripts executed by unspecified DHCP clients

Useful Links

NIST: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

US-CERT: https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability

Further information about the Shellshock bug can be found on the IT website, including information specific to the UBC community at large: http://it.ubc.ca/bash-vulnerability-shellshock-exploit.

Disclaimer

This advisory was released shortly after the public announcement of the vulnerability. New facts are expected to surface shortly.