Shellshock and why should you be worried (CVE-2014-6271)

The bug dubbed as “Shellshock”, affects the Unix command shell “Bash”, which is one of the most common applications running in the *NIX systems. BASH (Bourne Again Shell) is the interpreter that allows you to orchestrate commands on Unix and Linux systems. Right now the web is buzzing with all sorts of information about Shellshock but the hard part is to dissect the hype from the true underlying risk. Shellshock is unique due to the impact it could have on the security of the Internet and the challenges in detecting it. The attack surface could include any machine running Unix based systems, and other smart devices like smart locks, cameras, multimedia appliances and storage devices, etc.

How does it work, where is the vulnerability

The vulnerability exists in the bash shell which allows a user to create a function and embed it into the environment. When called from the shell, it spawns a child shell that executes the code. The vulnerability lies in the system which allows the user to spawn a shell executing code from the environment, being able to modify the environment allows the attacker to execute arbitrary code on the target system.

Potential Damage: What are the risks

“Shellshock” has the potential to inflict limitless damage. The Internet is powered by millions of Linux and Unix servers which are vulnerable and are open to exploitation. A crafted HTTP post with the right characters can easily enable any attacker to upload files, modify HTML, or plant backdoors / bots for use later.

How do I know If I am vulnerable to “Shellshock”

The vulnerability could be detected using a simple shell command …

# env x='() { :;}; echo vulnerable' bash  -c "echo this is a test"

If code returns the string “vulnerable” then you must update your system.

Debian, Ubuntu users can use the following commands to update their system:

# sudo apt-get update
# sudo apt-get install bash

Redhat / CentOS / Fedora users can use the following commands to update their system:

# yum -y update bash

The risk of remote exploitation

Environment variables are used extensively by web applications to communicate between pages and with the user. The vulnerability in bash opens up and exposes the environment variables to misuse. A malicious user can now craft packets to your web server and exploit the vulnerability in bash. The nature of the vulnerability allows the remote user to execute arbitrary code on the server, thereby allowing them substantial access to the target system.

Preventive measures for “Shellshock” vulnerability

Currently patching your system is one of the easiest preventive measures that can be taken. Linux distributors are offering different patches for this vulnerability although these patches still need to be tested for regression.

How does CNAM detect “Shellshock”

CNAM uses a  combination of DPI and event correlation to identify threats using CVE-2014-6271. CNAM customers also benefit enormously from the honey network and threat intelligence feeds integrated in real time. CNAM has classified the detection modules under CAPEC-88 OS Injection. All CNAM customers have received a global update on the issue on 25.09.2014 06:30 UTC.

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2015-2016 All Rights Reserved. NETMONASTERY™ and CNAM™ is a registered trademark of NETMONASTERY NSPL.