[News] Bash ShellShock issue – bigger threat than Heartbleed ?

A newly discovered security issue in the widely used Linux software, Bash. Some cyber experts have said that this vulnerability may be a bigger threat than famous Heartbleed flaw surfaced in April 14. For those who don’t know, Bash is the software used to control the command prompt on many *nix computer. With this new vulnerability, hackers can exploit the bug in Bash to take control of the targeted system. In comparison, Heartbleed allowed hackers to “spy” or dump part of computer’s memory but not take control of it…

bash

The method to exploit this issue is really simpler. Anyone can just cut and paste a line of code and get good results. Tod Beardsley, an engineering manager at cybersecurity firm Rapid7, warned that the bug was rated a “10” for severity, meaning it has maximum impact, and rated “low” for complexity of exploitation, meaning it is relatively easy for hackers to launch attacks.

How it works ?

This flaw involves how Bash evaluates environment variable (like $PATH, $JAVA_HOME …). An attacker can specifically craft variables to execute shell commands. To exploit this kind of security hole, an hacker already need to have high level of system access to cause damage but unfortunately, certains services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.

The main problem is that Bash is often used as the system shell. So if an application or service calls a Bash shell command via HTTP or CGI in a way that allows user to insert data, the server could be hacked. In fact, this flaw may affect a lot of applications that evaluate user input and call other applications via the shell. I let you imagine the risk if these application call scripts with super-user permissions…

A detailed analysis of the flaw is available at : https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

shellshock-command-diagram-600px_v2

Diagnostic steps

To test if your version of Bash is vulnerable to this issue, run the following command:

env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
vulnerable
this is a test

 If you see this, your bash is vulnerable !!!

How to protect against it ?

The first golden rule is to sanitize the web application’ inputs. Normally you must have already done this against such common attack like cross-site scripting (XSS) or SQL Injection which are present in the TOP SANS 25 while many years… The second step is to disable CGI script that call on the shell. For the last step, it seem important to switch away from using Bash to another Shell but keep in mind that other shells will not use exactly the same syntax and it may not have all same features. This means that some of your applications must be updated. Of course, the best way is to replace the Bash with the fixed version. Actually, Bash’s developpers have patched all current version of Bash from 3.0 to 4.3 and only Debian and RedHat appear to have packaged patches ready to go.

In my case, I simply run Aptitude to get and install update on my Ubuntu servers like this:

sudo apt-get update && sudo apt-get upgrade
...
The following packages will be upgraded:
  apt apt-transport-https apt-utils bash dbus libapt-inst1.5 libapt-pkg4.12
  libdbus-1-3 linux-firmware

 You can see that “bash” package will be updated. Actually I have the version 4.3.11

bash --version
GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)

 And after the upgrade the version is the same, but if I run the diagnostic command:

 env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

 The vulnerability is fixed.

 

For more informations, please consults these links:

Bookmark the permalink.

2 Comments

  1. Great Write up and informative steps to upgrade a server Distro to secure the fix 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *