A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The vulnerability could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system. For more information about this vulnerability, please see:
- NVD Vulnerability Note CVE-2014-6271
- NVD Vulnerability Note CVE-2014-6277
- NVD Vulnerability Note CVE-2014-6278
- NVD Vulnerability Note CVE-2014-7169
- NVD Vulnerability Note CVE-2014-7186
- NVD Vulnerability Note CVE-2014-7187
- CERT Vulnerability Note VU#252743
Risk
High
Impacted Systems
- Any Linux–based systems (e.g. Red Hat, Ubuntu, Debian) running Bash 4.3 and below
- Any Unix or Unix variant (e.g. Solaris, FreeBSD) running Bash 4.3 and below
- Any appliances running Bash 4.3 and below
- Majority of Mac laptops and desktops
Non-Impacted Systems
- Microsoft Windows operating systems
- Cisco Networking devices (e.g. Switches, Routers, Firewalls)
Recommendation
Apply the patches provided by corresponding system vendors
- All major vendors have already released patches for this vulnerability
- Most patches do not need a reboot
The patches are cumulitive; applying the latest patch covers the vulnerability fixes included in previous patches.
- CVE-2014-6271: Published on Sept 24. First advisory regarding bash vulnerability
- CVE-2014-7169: Published on Sept 24. Addressed the incomplete fix for CVE-2014-6271
- CVE-2014-6277: Published on Sept 27. Addressed the incomplete fix for CVE-2014-6271 and CVE-2014-7169
- CVE-2014-6278: Published on Sept 30. Addressed the incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277
- CVE-2014-7186: Published on Sept 28. Results in memory corruption
- CVE-2014-7187: Published on Sept 28. Not considered to cause any security impact
The following Red Hat page contains the latest links to the CVE, https://access.redhat.com/announcements/1210053.
Vulnerability Checking
- Nessus has released a plugin to check for this vulnerability
- The vulnerability may be checked manually by executing the following at the Bash command:
If upon running the test below and you receive the following response (in bold), the system is vulnerable:
$ env ls='() { echo Vulnerable; }' bash -c ls
VulnerableAfter applying the patch, you should receive the following response (in bold):
$ env ls='() { echo Vulnerable; }' bash -c ls
Desktop Downloads Pictures Videos Documents Music Public
Exploits
Publicly available exploits are starting to surface
Attack Vectors
The following are the primary attack vectors:
- SSH
- ForceCommand feature in OpenSSH sshd
- mod_cgi and mod_cgid modules in the Apache HTTP Server
- scripts executed by unspecified DHCP clients
Useful Links
NIST: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
Further information about the Shellshock bug can be found on the IT website, including information specific to the UBC community at large: http://it.ubc.ca/bash-vulnerability-shellshock-exploit.
Disclaimer
This advisory was released shortly after the public announcement of the vulnerability. New facts are expected to surface shortly.