On September 24, 2014, a remotely exploitable vulnerability in the GNU Bash shell interpreter was originally disclosed to the community in CVE-2014-6271 and CVE-2014-7169. Since then subsequent vulnerabilities have been reported and tracked:
Nicknamed "ShellShocker", this vulnerability is found in all un-patched versions of GNU bash from 1.0 to 4.3. The vulnerability allows an attacker to inject shell code via environment variables that GNU bash will execute. Specifically, the vulnerability exists because GNU bash parses environment variables insecurely, allowing shell code injected after a function body to be executed.
For example:
bash
SOMEVAR=() { doesn't matter }; /bin/hostname
will execute '/bin/hostname' when the environment variable SOMEVAR is imported into a GNU bash process.
The fact that an environment variable with an arbitrary name can be used as a carrier for a malicious function definition containing trailing commands makes this vulnerability particularly severe as it enables network-based exploitation.
The primary attack vectors are CGI scripts and SSH sessions.
Attack Vector - CGI
A typical HTTP request looks like this:
GET /some/path?param_key=param_value HTTP/1.1
Host: www.example.com
HeaderKey: HeaderValue
Per the CGI specification, the web server will map the HTTP request to environment variables for the shell interpreter:
REMOTE_HOST=www.example.com
HTTP_HEADERKEY="HeaderValue"
SERVER_PROTOCOL="HTTP/1.1"
The HTTP request can be modified by an attacker such that any of these CGI environment variables will carry injected shell code that an invoked GNU bash shell will interpret.
Additionally, it is possible that the HTTP request method (`GET`), the HTTP request path (`/some/path`) or the HTTP request query string (`param_key=param_value`) may be exploitable.
Attack Vector - SSH
ssh servers, OpenSSH's in particular, offer features that allow system administrators to force authorized users into using a specific command only (ForceCommand) or to pass specific environment variables only (AcceptEnv). The former is typically used to allow a "trigger" to be transmitted to a server while preventing the user from invoking a shell interpreter. The latter is primarily used to permit users to declare their terminal type (TERM). It is possible for an authenticated user to elect to inject shell code to GNU bash by supplying a malicious command (which, in the context of ForceCommand, becomes SSH_ORIGINAL_COMMAND) or to modify the TERM environment variable. Note this attack will not work for a non-authenticated user.
Impact and Action
This vulnerability can be used by a malicious client to cause a server to create a shell on the affected system.
Attackers can use the shell to then elevate privileges and gain further control over the affected system. The end-user implication is that an attacker could gain full control over an affected system, including access to any and all data stored on or accessed by that system. The effort and resources required to execute an attack against this vulnerability in Bash is trivial.
GNU bash has been an available shell interpreter on every Unix-variant for decades, installed on everything from embedded systems to mainframes. Given the simplicity of the attack, the impact of this vulnerability is considered high. All manner of systems connected to the network, from web-enabled cameras to SCADA systems, should be considered at some risk.
Most operating system vendors have released patched version of GNU bash for their supported OS releases. System administrators are strongly encouraged to update packages / firmware on all affected systems as quickly as possible.
As research into this vulnerability has continued, several vendors have released additional patches for the same vulnerability. As a matter of best practice, we recommend updating packages as improved fixes become available.
The following is a list of summaries of the known vulnerabilities as well as what each patch addresses:
- CVE-2014-6271: Published on Sept 24. First advisory regarding bash vulnerability
- CVE-2014-7169: Published on Sept 24. Addressed the incomplete fix for CVE-2014-6271
- CVE-2014-6277: Published on Sept 27. Addressed the incomplete fix for CVE-2014-6271 and CVE-2014-7169
- CVE-2014-6278: Published on Sept 30. Addressed the incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277
- CVE-2014-7186: Published on Sept 28. Results in memory corruption
- CVE-2014-7187: Published on Sept 28. Not considered to cause any security impact
The patches are cumulative. Applying the lateset patch covers the vulnerabilities fixed by previous patches.
The UBC IT Satellite server contains all of the latest patches and will be kept up to date in an ongoing effort to provide the UBC community with the latest patches.
Vulnerability Assessment Tools
The vulnerability may be checked manually by executing the following at the Bash command:
If upon running the test below and you receive the following response, the system is vulnerable:
(Note: Directory listing my vary)
$ env ls='() { echo Vulnerable; }' bash -c ls
Vulnerable
After applying the patch, you should receive the following response:
$ env ls='() { echo Vulnerable; }' bash -c ls
Desktop Downloads Pictures Release.key Videos Documents Music Public Templates
