Heartbleed hit the news back in April affecting OpenSSL and in turn large parts of the internet. Another major vulnerability dubbed ‘ShellShock’ was disclosed yesterday.
Last week Stephane Chazelas discovered a vulnerability in bash (Bourne again shell); one of the most commonly deployed *nix utilities. It affects versions 1.14 through 4.3 of GNU Bash. This is a 22 year old vulnerability that has just now been made public.
If left unpatched this vulnerability could lead to attackers remotely executing code on vulnerable systems.
The details of this vulnerability were released as part of a coordinated disclosure (http://www.openwall.com/lists/oss-security/2014/09/24/10) on 24/9/2014, with major operating system distributions being notified in advance. The majority of these distributions released a patch when the vulnerability was disclosed, however it has been found that these patches are largely ineffective; leaving some systems vulnerable.
New patches have been compiled but at the time of writing have not yet been accepted into the distribution repositories.
So what’s the issue?
The vulnerability is caused by the way in which environmental variables are handled. Bash doesn't stop interpreting variables at the end of functions thus making arbitrary command execution possible. If Bash is called by an external script, such as a CGI script it is possible to remotely execute code.
Nettitude has already observed this vulnerability begin to get exploited in the wild, with servers scanning large numbers of IP addresses and attempting to trigger the vulnerability and force affected machines to download and execute malware.
Although there are a wide variety of ways in which this vulnerability can be exploited the main risk is internet facing web applications that make use of CGI scripts, PHP libcalls or Java. These applications all make backend calls to /bin/sh, making them vulnerable.
What is affected?
This will affect a significant number of systems from web servers, home routers, OS X Macs, servers, PC’s, many embedded devices plus anything else that relies on Bash. NIST have calculated this as 10 out of 10 in terms of severity, combined with a low complexity to exploit (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271).
However, although many systems will use Bash, access to this is often provided via other interfaces. The most likely situations are where diagnostic CGI scripts are written in, or call out to, Bash, or through PHP applications running in CGI mode that do something similar.
Already, a DDoS bot that exploits this issue has been identified in the wild by @yinettesys (https://twitter.com/yinettesys/status/515012126268604416).
To contact Nettitude's editor, please email email@example.com.