Bash Vulnerability

September 25, 2014

A vulnerability has been discovered in the "bash" shell which is commonly used to provide a command-line interface on Unix-style systems, such as Linux distributions.

The vulnerability is described at: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

"GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution."

The practical consequences of the vulnerability are still being explored by various groups, but it has been confirmed that some web server configurations result in this being a remotely-exploitable condition. In general terms, a web server that runs scripts which use bash may be vulnerable. Do not assume use of PHP, Java, or other languages means bash is not used; some environments will invoke bash to execute these languages.

Since remote exploitation depends upon finding a URL to a CGI that would invoke a bash shell, our scans of servers could easily miss a vulnerable system. If you operate a Unix-based system, you are encouraged to update your bash shell as soon as possible. Priority should be given to critical systems, particularly those with a web server.

Since the bash shell is such a ubiquitous part of Unix-style systems, it is likely there are exploits via methods other than web servers, so it is important that all systems are updated.

In addition to special concerns about web servers due to their remote-access potential, there may be some risk to MacOS devices if they receive malicious payloads from a DHCP server, as this may trigger processing via a bash shell on the MacOS client. This is primarily a concern for travelers who may connect to questionable networks, and presumably a patch will be issued by Apple to correct this issue.

If you want to test a specific system, log into the system and from the bash shell prompt execute the following one-line command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If it returns "vulnerable", you have a vulnerable bash shell.