Critical Bourne Again SHell (BASH) Vulnerability Allows for Remote Code Execution

ITS Advisory Number: 
2014-083
Date(s) Issued: 
Thursday, September 25, 2014
Date Updated: 
Thursday, September 25, 2014
Subject: 
Critical Bourne Again SHell (BASH) Vulnerability Allows for Remote Code Execution
Overview: 

UPDATES: We have updated the recommendations. Please make sure to follow all recommendations listed below. Additional updates will be provided shortly.

A recent vulnerability has been discovered affecting the Bourne Again SHell (BASH). BASH is the default command-line shell processor that is often run in a text window on Linux and UNIX systems. BASH allows users to type commands that cause actions. In addition, BASH has the ability to read commands from a scripted file. Based on the wide use of Linux and UNIX systems, it can be assumed that most distributions running Linux and UNIX, and Mac OS X, are vulnerable. Successful exploitation of a web service could result in an attacker gaining the same privileges as the service. Depending on the privileges associated with the service, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • Mac OS X
  • Linux distributions
  • UNIX distributions
  • GNU BASH versions 1.14 through 4.3
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

This vulnerability allows unauthorized remote parties to bypass environment restrictions on a network and run remote code through the execution of shell commands on vulnerable systems. In order for the vulnerability to be exploited, specially crafted environment variables need to be created prior to calling the BASH shell.

The following possible attack vectors have been identified by Redhat security:

The ForceCommand in SSHD configurations, which provides limited command execution capabilities for remote users.
Apache servers using mod_cgi or mod_cgid are affected if CGI scripts are written in BASH or spawn subshells. Such subshells are used by system/popen in C, by os.system/os.popen in Python, system/exec in PHP (when run in CGI mode), and open/system in Perl if a shell is used (which depends on the command string).
DHCP clients invoke shell scripts to configure the system with values taken from a malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine.
Various daemons and SUID/privileged programs may execute shell scripts with environment variable values set / influenced by the user and allow for commands to be run.
Any other application which is hooked onto a shell or runs a shell script as using BASH as the interpreter.

To test your system to see if it is vulnerable, open up a bash shell and type in the following command;

$ env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"

If the output of the above command looks as follows:

--
vulnerable
this is a test
--

you are using a vulnerable version of Bash.

The patch to fix this issue ensures that no code is allowed after the end of the Bash function. If you run the test command statement above with a patched version of Bash, you should receive the following output.

--
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
--

Successful exploitation of a web service could result in an attacker gaining the same privileges as the service. Depending on the privileges associated with the service, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 

ORIGINAL:

We recommend the following actions be taken:

  • Update vulnerable products immediately after appropriate testing.
  • Turn off network services that are not required.
  • Apply the principle of Least Privilege to all services 

UPDATED: "() {"
Example usage : grep "() {" *.log
If the above string is found in the logs, please investigate further to determine the success of the attempt and contact CSOC if you need further assistance.

References: 

Redhat:
https://securityblog.redhat.com/2014/09/24/BASH-specially-crafted-environment-variables-code-injection-attack/
https://rhn.redhat.com/errata/RHSA-2014-1293.html
https://rhn.redhat.com/errata/RHSA-2014-1294.html
https://rhn.redhat.com/errata/RHSA-2014-1295.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6271
https://access.redhat.com/solutions/1207723

GNU Project:
http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017
http://ftp.gnu.org/pub/gnu/bash/bash-3.1-patches/bash31-018
http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052
http://ftp.gnu.org/pub/gnu/bash/bash-4.0-patches/bash40-039
http://ftp.gnu.org/pub/gnu/bash/bash-4.1-patches/bash41-012
http://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-048
http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-025

CentOS:
http://lists.centos.org/pipermail/centos-announce/2014-September/020582.html
http://lists.centos.org/pipermail/centos-announce/2014-September/020585.html
http://lists.centos.org/pipermail/centos-announce/2014-September/020583.html

Debian:
https://www.debian.org/security/2014/dsa-3032

FreeBSD:
http://portaudit.freebsd.org/71ad81da-4414-11e4-a33e-3c970e169bc2.html

Gentoo:
http://www.gentoo.org/security/en/glsa/glsa-201409-09.xml

Novell SUSE:
http://support.novell.com/security/cve/CVE-2014-6271.html

Oracle Linux:
http://linux.oracle.com/errata/ELSA-2014-1293.html
http://linux.oracle.com/errata/ELSA-2014-1294.html

Palo Alto:
https://securityadvisories.paloaltonetworks.com/Home/Detail/24

Ubuntu:
http://www.ubuntu.com/usn/usn-2362-1/

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169

SecurityFocus:
http://www.securityfocus.com/bid/70103