Still unresolved Shellshock major vulnerability affecting Bash on Linux, Unix and MAC OS X

Less than two days after it was detected a vulnerability (CVE-2014-6271) that affects the Bash shell on Linux, Unix and Mac OS X, a patch was released that solves this issue only partially, which forced to report a new vulnerability (CVE-2014-7169) still pending. This issue has quickly gained a simple name by which it will be remembered for a long time: Shellshock or Shell Shock.

Background

The bug was detected by Stephane Chazelas, a Unix and Linux system administrator from Akamai when he found out that Bash erroneously interpreted as a command wich only was data within a variable when entering a specially crafted string in the command line. As a result, everything coming after that string was executed as a command or function by Bash. This allows any attacker to execute commands on your server arbitrarily. It’s true that this can not be done as root, but there are many harmful actions that can be done without root privileges.

Error: Your Requested widget " ai_widget-6" is not in the widget list.

• [do_widget_area above-nav-left]
• [do_widget_area above-nav-right]
• [do_widget_area footer-1]
  • [do_widget id="wpp-4"]
• [do_widget_area footer-2]
  • [do_widget id="recent-posts-4"]
• [do_widget_area footer-3]
  • [do_widget id="recent-comments-3"]
• [do_widget_area footer-4]
  • [do_widget id="archives-4"]
• [do_widget_area logo-bar]
  • [do_widget id="oxywidgetwpml-3"]
• [do_widget_area menu-bar]
  • [do_widget id="search-3"]
• [do_widget_area sidebar]
  • [do_widget id="search-4"]
  • [do_widget id="ai_widget-2"]
  • [do_widget id="categories-5"]
  • [do_widget id="ai_widget-3"]
  • [do_widget id="ai_widget-4"]
  • [do_widget id="ai_widget-5"]
• [do_widget_area sub-footer-1]
  • [do_widget id="text-4"]
• [do_widget_area sub-footer-2]
• [do_widget_area sub-footer-3]
• [do_widget_area sub-footer-4]
• [do_widget_area upper-footer-1]
  • [do_widget id="search-2"]
  • [do_widget id="recent-posts-2"]
  • [do_widget id="recent-comments-2"]
  • [do_widget id="archives-2"]
  • [do_widget id="categories-2"]
  • [do_widget id="meta-2"]
• [do_widget_area upper-footer-2]
• [do_widget_area upper-footer-3]
• [do_widget_area upper-footer-4]
• [do_widget_area widgets_for_shortcodes]
  • [do_widget id="search-5"]
  • [do_widget id="ai_widget-6"]
• [do_widget_area wp_inactive_widgets]
  • [do_widget id="wpp-2"]
  • [do_widget id="text-1"]
  • [do_widget id="recent-posts-3"]
  • [do_widget id="categories-3"]
  • [do_widget id="archives-3"]
  • [do_widget id="icl_lang_sel_widget-3"]

Consecuences

Here are some of the most critical examples of attack vectors and systems that may be affected:

• Apache: Apache servers, which are the most widespread of Internet web servers, may be affected if they use mod_cgi or mod_cgid if any of these scripts are written in Bash.
• ForceCommand: this vulnerability can also be exploited to bypass ForceCommand in some sshd daemon implementations. It is supposed ForceCommand to limit remote code execution, but this bug allows to overcome this protection.
• DHCP: the DHCP protocol that allows computers and devices on a network to automatically be assigned an IP address and other networking data is another service that could be affected according Red Hat. This is because this protocol allows DHCP servers passing environmental variables to its clients. An attacker could get those variables were interpreted as commands rather than as mere configuration data, which would allow to attack any computer on the network just by taking control of the DHCP server. This would be fatal in many cases, large companies for example.
• SSH: other exploitable service is OpenSSH by using AcceptEnv, TERM and SSH_ORIGINAL_COMMAND variables. An environmental variable with an arbitrary name can include a nefarious function able to exploit the vulnerability and perform a remote attack through the network.
• GIT: other services such as Git wich provides restricted shells could be affected by this vulnerability, as it would allow overcoming all that restrictions and take over the server.

Considering Bash is one of the most widely used command shells in the world, there is no doubt that more and more examples of other attack vectors will emerge in the coming days and weeks, so is essencial to fix this issue as soon as possible for all sysadmins with affected systems worldwide.

Error: Your Requested widget " ai_widget-6" is not in the widget list.

• [do_widget_area above-nav-left]
• [do_widget_area above-nav-right]
• [do_widget_area footer-1]
  • [do_widget id="wpp-4"]
• [do_widget_area footer-2]
  • [do_widget id="recent-posts-4"]
• [do_widget_area footer-3]
  • [do_widget id="recent-comments-3"]
• [do_widget_area footer-4]
  • [do_widget id="archives-4"]
• [do_widget_area logo-bar]
  • [do_widget id="oxywidgetwpml-3"]
• [do_widget_area menu-bar]
  • [do_widget id="search-3"]
• [do_widget_area sidebar]
  • [do_widget id="search-4"]
  • [do_widget id="ai_widget-2"]
  • [do_widget id="categories-5"]
  • [do_widget id="ai_widget-3"]
  • [do_widget id="ai_widget-4"]
  • [do_widget id="ai_widget-5"]
• [do_widget_area sub-footer-1]
  • [do_widget id="text-4"]
• [do_widget_area sub-footer-2]
• [do_widget_area sub-footer-3]
• [do_widget_area sub-footer-4]
• [do_widget_area upper-footer-1]
  • [do_widget id="search-2"]
  • [do_widget id="recent-posts-2"]
  • [do_widget id="recent-comments-2"]
  • [do_widget id="archives-2"]
  • [do_widget id="categories-2"]
  • [do_widget id="meta-2"]
• [do_widget_area upper-footer-2]
• [do_widget_area upper-footer-3]
• [do_widget_area upper-footer-4]
• [do_widget_area widgets_for_shortcodes]
  • [do_widget id="search-5"]
  • [do_widget id="ai_widget-6"]
• [do_widget_area wp_inactive_widgets]
  • [do_widget id="wpp-2"]
  • [do_widget id="text-1"]
  • [do_widget id="recent-posts-3"]
  • [do_widget id="categories-3"]
  • [do_widget id="archives-3"]
  • [do_widget id="icl_lang_sel_widget-3"]

Diagnosis

To check if your Bash shell is vulnerable run these commands:

~$ env x='() { :;}; echo vulnerable' bash -c "echo Test 1"
~$ env X='() { (a)=>\' sh -c "echo vulnerable"; bash -c "echo Test 2"

If output of any of them (or both) displays the word vulnerable indeed your version of Bash is vulnerable:

~$ env x='() { :;}; echo vulnerable' bash -c "echo Test 1"
vulnerable
Test 1
~$ env X='() { (a)=>\' sh -c "echo vulnerable"; bash -c "echo Test 2"
vulnerable
Test 2

The patch can solve this issue must ensure that any command after the end of a function is not allowed. Therefore, if you execute the same command on a patched version of Bash you should get output like this:

~$ env x='() { :;}; echo vulnerable'  bash -c "echo Test 1"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
Test 1

Fix

If your system is vulnerable, the solution is to install the latest version of the Bash package, but as said earlier, this is only a partial solution. However Red Hat recommends to apply the patch that fixes the first vulnerability (CVE-2014-6271) in any case, as the second one (CVE-2014-7169) is not so severe:

Debian & Ubuntu

~# apt-get update && apt-get upgrade bash

Red Hat & CentOS

~# yum update bash

Links and further information

https://access.redhat.com/articles/1200223
https://access.redhat.com/articles/1212303
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169