A new vulnerability has been found that potentially affects most versions of the Linux and Unix operating systems, in addition to Mac OS X (which is based around Unix). Known as the “Bash Bug” or “ShellShock,” the GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271) could allow an attacker to gain control over a targeted computer if exploited successfully.
The vulnerability affects Bash, a common component known as a shell that appears in many versions of Linux and Unix. Bash acts as a command language interpreter. In other words, it allows the user to type commands into a simple text-based window, which the operating system will then run.
Bash can also be used to run commands passed to it by applications and it is this feature that the vulnerability affects. One type of command that can be sent to Bash allows environment variables to be set. Environment variables are dynamic, named values that affect the way processes are run on a computer. The vulnerability lies in the fact that an attacker can tack-on malicious code to the environment variable, which will run once the variable is received.
Symantec regards this vulnerability as critical, since Bash is widely used in Linux and Unix operating systems running on Internet-connected computers, such as Web servers. Although specific conditions need to be in place for the bug to be exploited, successful exploitation could enable remote code execution. This could not only allow an attacker to steal data from a compromised computer, but enable the attacker to gain control over the computer and potentially provide them with access to other computers on the affected network.
The following video provides an explanation of the Bash Bug vulnerability and demonstrates how a likely attack scenario through the CGI interface may work:
Has it been exploited yet?
There are limited reports of the vulnerability being used by attackers in the wild. Proof-of-concept scripts have already been developed by security researchers. In addition to this, a module has been created for the Metasploit Framework, which is used for penetration testing.
Once the vulnerability has been made public, it was only a matter of time before attackers attempted to find and exploit unpatched computers.
How can it be exploited?
While the vulnerability potentially affects any computer running Bash, it can only be exploited by a remote attacker in certain circumstances. For a successful attack to occur, an attacker needs to force an application to send a malicious environment variable to Bash.
The most likely route of attack is through Web servers utilizing CGI (Common Gateway Interface), the widely-used system for generating dynamic Web content. An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. Because the server uses Bash to interpret the variable, it will also run any malicious command tacked-on to it.
Figure 1. How a malicious command can be tacked-on to the end of a legitimate environment variable. Bash will run the malicious command first.
The consequences of an attacker successfully exploiting this vulnerability on a Web server are serious in nature. For example attackers may have the ability to dump password files or download malware on to infected computers. Once inside the victim’s firewall, the attackers could then compromise and infect other computers on the network.
Aside from Web servers, other vulnerable devices include Linux-based routers that have a Web interface that uses CGI. In the same manner as an attack against a Web server, it may be possible to use CGI to exploit the vulnerability and send a malicious command to the router.
Computers running Mac OS X are also potentially vulnerable until Apple releases a patch for the vulnerability. Again, attackers would need to find a way to pass malformed commands to Bash on the targeted Mac. The most likely avenue of attack against OS X would probably be through Secure Shell (SSH), a secure communications protocol. However, it appears that the attacker would need to have valid SSH credentials to perform the attack. In other words, they would already have to be logged in to an SSH session.
Internet of Things (IoT) and embedded devices such as routers may be vulnerable if they’re running Bash. However, many newer devices run a set of tools called BusyBox which offers an alternative to Bash. Devices running BusyBox are not vulnerable to the Bash Bug.
For website owners and businesses
Businesses, in particular website owners, are most at risk from this bug and should be aware that its exploitation may allow access to their data and provide attackers with a foothold on their network. Accordingly, it is of critical importance to apply any available patches immediately.
Linux vendors have issued security advisories for the newly discovered vulnerability including patching information.
- Red Hat—https://access.redhat.com/articles/1200223*
- Novell/SUSE— http://support.novell.com/security/cve/CVE-2014-6271.html
*Red Hat has updated its advisory to include fixes for a number of remaining issues.
If a patch is unavailable for a specific distribution of Linux or Unix, it is recommended that users switch to an alternative shell until one becomes available.
Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available.
Symantec has created an Intrusion Prevention signature for protection against this vulnerability:
Symantec will continue to investigate this vulnerability and provide more details as they become available.