#Shellshock bug – critical vulnerability in the Bash Unix command-line interpreter

Shellshock or Bashdoor is a  security bug found in Unix Bash shell. It is a critical flaw which has been discovered on 24 September 2014 by Akamai Technologies security researcher Stephane Chazelas. “Many Internet daemons, such as web servers, use Bash to process certain commands, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system” (Wikipedia, 2014). Targeted system must have a script or application which attempts to call Bash in order for the attack to succeed.

Common Vulnerabilities and Exposures database (CVE)

The flaw was originally assigned CVE-2014-6271, but it was later discovered that the patch had an issue in the parser and did not fully address the problem. MITRE later assigned CVE-2014-7169 and CVE-2014-6277,  4.3 CVE-2014-6278, 4.4 CVE-2014-7169
4.5 CVE-2014-7186, and 4.6 CVE-2014-7187 to cover the remaining problems after the application of the first patch. (Wikipedia, 2014).

CVSS Severity (version 2.0):

CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)

Impact Subscore: 10.0

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

How to test the Linux Unix or Mac OS X is vulnerable to Shellshock

Execute the command bellow in the bash shell

CVE-2014-6271

env VAR='() { :;}; echo Bash is vulnerable!’ bash -c “echo Bash Test”

Bash will display the word “vulnerable”

Other CVES Proof of Concepts 

CVE-2014-7169

will create a file named echo in cwd with date in it, if vulnerable

env X='() { (a)=>\’ bash -c “echo date”; cat echo
CVE-2014-7186

bash -c ‘true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF’ || echo “CVE-2014-7186 vulnerable, redir_stack”
CVE-2014-7187

(for x in {1..200} ; do echo “for x$x in ; do :”; done; for x in {1..200} ; do echo done ; done) | bash || echo “CVE-2014-7187 vulnerable, word_lineno”

Bash version are vulnerable

1.13 to 4.3

Mitigation

The patching systems with Bash latest version.

Operating systems with updates are CentOS, Debian, Redhat (link is external) and Ubuntu.

 

References

Shellshock makes Heartbleed look insignificant. © 2014 CBS Interactive. url: http://www.zdnet.com/shellshock-makes-heartbleed-look-insignificant-7000034143/ Accessed on 29th September 2014 at 1548hrs

 

Vulnerability Summary for CVE-2014-6271. NIST is an Agency of the U.S. Department of Commerce Full vulnerability listing. url: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 Accessed on 30th September 2014 at 1548hrs

Shellshocker – Repository of “Shellshock” Proof of Concept Code.© 2014 GitHub, Inc. url:https://github.com/mubix/shellshocker-pocs Accessed on 1st October 2014 at 1748hrs

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s