A flaw in Bash, the most common Linux command shell, from 22 years ago that was discovered and incompletely patched earlier this year is reported to pose a very severe threat to systems that include it. If you use a BASH shell in Linux or other derived operating system like Android or Apple OS X (like me and I am sure many of you!) you are probably vulnerable.
According to Mitre:
vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
Am I vulnerable?
Edit for the time being: You are. No complete public fix has been posted yet, for the new CVE (CVE-2014-7169). The instructions I give below are only sufficient to close off part of the vulnerability.
There is an easy check. Open a terminal and paste the following:
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
It simply sets the environment variable called x to the value ‘() { :;}; echo vulnerable’. It then invokes bash asking it to echo back the word hello. The value of x that is set is a function definition that should do nothing. However, it is crafted to try to run ‘echo vulnerable’ at parsing of environment at bash start-up, which just prints vulnerable to standard out.
If you are not vulnerable, then the following will be shown:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello
If you are vulnerable, then you will see:
vulnerable
hello
Here is a link to more information from the Register: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
Here is an article from TrendMicro that also describes the vulnerability: http://blog.trendmicro.com/trendlabs-security-intelligence/shell-attack-on-your-server-bash-bug-cve-2014-7169-and-cve-2014-6271/
Several of the vendors we have partnerships with are investigating their products to determine their vulnerability and response.
F5 has posted the security advisory: http://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html
VMware has posted in their security and compliance blog that they are investigating: http://blogs.vmware.com/security/2014/09/vmware-investigating-bash-command-injection-vulnerability-aka-shell-shock-cve-2014-6271-cve-2014-7169.html
Red Hat has posted a very good description ion their security blog: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
Another Red Hat post: https://access.redhat.com/articles/1200223
Here are links to the advisories and repositories from the US Government:
US Computer Emergency Readiness Team (US-CERT) Advisory: https://www.us-cert.gov/ncas/alerts/TA14-268A
NIST-National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
Mitre Common Vulnerabilities and Exposures (CVE) entries: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
Since the patches for Bash started being released last week, three new Bash vulnerabilities have been identified: – These are new since I sent out the email last week. If systems were patched on Friday, they are probably vulnerable now unless the new patches have been applied!
US Computer Emergency Readiness Team (US-CERT) Advisory: https://www.us-cert.gov/ncas/alerts/TA14-268A
Vulnerability Note VU#252743 GNU Bash shell executes commands in exported functions in environment variables: http://www.kb.cert.org/vuls/id/252743 – This is a very good article describing affected systems
NIST-National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187
Mitre Common Vulnerabilities and Exposures (CVE) entries: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
Shellshocker.net https://shellshocker.net/ – Another terrific resource for understanding and testing for the 5 vulnerabilities identified so far and instructions on patching a number of operating systems.
Additional articles and advisories from vendors:
Novell/SUSE SLES 11 is affected: https://www.novell.com/support/kb/doc.php?id=7015705
Updated Knowledgebase article listing vulnerabilities in VMware products: KB 2090740 – This list is long as VMware maintains dozens of Linux based virtual appliances.
Palo Alto Networks Security Advisory: https://securityadvisories.paloaltonetworks.com/Home/Detail/24
– pre-order for Aug. 29, 2014 release
Dennis Bray's Virtual Place 