Bash ‘Shellshock’ Vulnerability (CVE-2014-6271 & CVE-2014-7169)

A very serious flaw in a critical piece of software that runs on almost all Linux operating systems has been found.

BBC news story:
http://www.bbc.co.uk/news/technology-29361794

Dubbed ‘Shellshock’ the flaw allows attackers to potentially take control of a vulnerable system and gain access to all data stored on that system.

https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

https://www.cert.gov.uk/resources/alerts/update-bash-vulnerability-aka-shellshock/

We are pleased to report that all critical systems have already been updated with the latest versions of the bash software along with various other routine updates.

Testing:

It is possible to test for this flaw from a shell script on a Linux system using the following command:

env var='() { ignore this;}; echo vulnerable' bash -c /bin/true

An affected version of bash will output “vulnerable”.

Source for this command along with further information:
https://community.qualys.com/blogs/securitylabs/2014/09/24/bash-remote-code-execution-vulnerability-cve-2014-6271

More:

http://arstechnica.com/security/2014/09/concern-over-bash-vulnerability-grows-as-exploit-reported-in-the-wild/

If you’re a Mac owner and worried about this, in all likelihood the vast majority are probably safe. You’d need to be running a web server with CGI enabled or some other externally accessible service on your Mac (and not all of them by any stretch would enable this vulnerability). More on this here:
http://www.macworld.com/article/2687763/safe-from-shellshock-how-to-protect-your-home-computer-from-the-bash-shell-bug.html

http://www.avg.com/gb-en/shellshock

Update 29 September 2014

We are starting to see attempts to exploit this bug in our server logs now. Below are just a few examples from the web access log this morning. The code shown here has been directed against 15 different web sites in the last 24 hours:

[28/Sep/2014:05:10:01 +0100] “GET / HTTP/1.1” 200 64428 “-” “() { foo;};echo;/bin/cat /etc/passwd”
[28/Sep/2014:08:21:15 +0100] “GET / HTTP/1.1” 200 11880 “-” “() { foo;};echo;/bin/cat /etc/passwd”
[28/Sep/2014:10:28:42 +0100] “GET / HTTP/1.1” 200 5168 “-” “() { foo;};echo;/bin/cat /etc/passwd”

This entry was posted in News, Security News and tagged , , , , . Bookmark the permalink.

Comments are closed.