[SingCERT] Bash Vulnerability

Published on Friday, 26 September 2014 17:31

[ Summary ]

On 24th of September 2014, a vulnerability (CVE-2014-6271) affecting all Bash version 4.3 and below was reported in GNU Bash. The GNU Bash command-line shell is used in UNIX Operating Systems, including AIX, HPUX, Linux, Solaris and OSX.

This vulnerability can be exploited in various ways. Network-based attackers could exploit vulnerable web servers that use CGI (Common-Gateway Interface) or through applications such as OpenSSH, Telnet and DHCP.

The following command can be issued in the command-line shell to determine whether your Bash is vulnerable:
env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If bash is not vulnerable, the following will be returned:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello

If bash is vulnerable, the following will be returned:
vulnerable
hello


[ Recommended Actions ]

  • System administrators are advised to apply the patches immediately when they are made available. Updates are currently available for Red Hat Enterprise Linux (versions 4 through 7), CentOS (versions 5 through 7), Ubuntu (10.04 LTS, 12.04 LTS, and 14.04 LTS), Debian and the Fedora distribution.
  • System administrators should focus on systems with Bash Shells that can be accessed remotely. These systems should be patched immediately. If patches for these systems are not yet available, administrators should consider closing off the affected services, or using alternative shells.
  • It is advisable to turn on the signatures to detect/prevent such attacks in Web Application Firewalls and Intrusion Prevention Systems, if available.


[ References ]

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability