BASH – It Continues

As you know, yesterday saw the emergence of a remotely exploitable vulnerability that poses serious risks for all Linux systems.  The Bourne-Again SHell, known as Bash, is the default shell for most Linux systems.  It carries a vulnerability which allows an attacker to remotely set the content of an environment variable and use this to force the execution of commands chosen by the attacker.   This vulnerability is particularly lethal for web applications built on CGI script frameworks, as the request headers are packaged into environment variables.

For the past 36 hours, the Network Box Security Response has been diligently monitoring the security flaw for emerging vulnerabilities, and, as expected, the situation regarding CVE-2014-6271 and Shellshock has deteriorated.

  1. We are now seeing mass (targeting the entire IPv4 address space) scans for this vulnerability from 14 different sources in 5 countries.
  1. Two of those scans are actively attempting to deliver malicious payloads – attempts to install botnet clients on affected servers.
  1. It appears that initial reports regarding lack of 100% effectiveness of the patches for the CVE-2014-6271 vulnerability are correct. A new CVE-2014-7169 has been announced, to track a new variant of this vulnerability – for which no patches are currently available (but for which the protection signatures that we have should still be effective). The only good news is that CVE-2014-7169 appears to be more limited in scope than the original CVE-2014-6271 vulnerability.

These vulnerabilities theoretically cover a potentially very large attack surface, and are so fundamental that it is hard to produce signatures to protect vulnerable systems 100%. That being said, we have already released and deployed NBIDPS signatures for both NBRS-3 and NBRS-5, as well as WAF+ signatures for our NBRS-5 WAF+ platform. These signatures provide some protection for the most vulnerable HTTP servers.

A vulnerable system is defined as a Linux/Unix/Bsd based server (including Apple OSX) accessible from the public Internet on one or more ports. A simple (local) test for vulnerability is to type the following into the terminal shell of your server:-

The command to run (on the Unix/Linux/BSD box under test):

env x='() { :;}; echo vulnerable’ bash -c ‘echo this is a test’

The output that a vulnerable box will show:

$ env x='() { :;}; echo vulnerable’ bash -c ‘echo this is a test’
this is a test

The output that a non-vulnerable box will show:

# env x='() { :;}; echo vulnerable’ bash -c ‘echo this is a test’
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

Our protection signatures appear to be holding, but on a scale of 1 to 10 for mass exploitability, we rate Shellshock an 11. The timing is particularly concerning, as we head into the weekend with the vast majority of servers still un-patched. Accordingly, we have just increased our alert condition to level 4. To put that in perspective, we have not been at this level, for this serious a vulnerability, since 2006!

Our recommendation to customers, in co-operation with their regional support NOCs, is to conduct a review of potentially affected servers, and to then ensure that patches are applied to those servers wherever possible.

This is particularly vital if you have a Linux system – update it NOW because that will be your best protection. Consider doing the same for all devices running embedded Linux such as DVR, security cameras, alarm systems, HVAC, routers (especially home routers). This applies to any other device which needs an OS to run because chances are it’s using embedded Linux including the MAC. Update as soon as a patch is available.

Be assured that we are continuing to closely monitor the situation, and will update you as/when we have further news.

As always, please do not hesitate to contact your Network Box Support Team if you have any questions or require further clarification.