Wednesday, October 1, 2014

What is #shellshock?


Shellshock (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278) is a vulnerability in GNU's bash shell that gives attackers access to run remote commands on a vulnerable system. If your system has not updated bash in since Tue Sep 30 2014: 1:32PM EST you're most definitely vulnerable and have been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to NVD.




The following can be found at:
http://en.wikipedia.org/wiki/Shellshock_(software_bug)

Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet daemons, such as web servers, use Bash to process certain commands, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
The bugs cause Bash to unintentionally execute commands when they are stored in specially crafted environment variables. Within days of the initial vulnerability, a series of further related vulnerabilities in Bash were found, leading to the need for further patches.
By 25 September 2014, botnets based on computers compromised with the bug were being used by attackers for distributed denial-of-service attacks and vulnerability scanning. Millions of attacks and probes related to the bug were recorded by security companies in the days following the disclosure.[7][8] The bug could potentially be used to compromise millions of servers and other systems, and it has been compared to the Heartbleed bug in its severity.
Stéphane Chazelas discovered the original bug on 12 September 2014 and suggested the name "bashdoor". The bug was assigned the CVE identifier CVE-2014-6271. Analysis of the sourcecode history of Bash shows that the vulnerabilities had existed since approximately 1992.
Apple Inc. commented that most Mac users were likely not affected, unless they were advanced users. Although notified of the vulnerability before it was made public, the company did not release a corresponding OS X update until 29 September, but it did not fix all known vulnerabilities.
Background
The Shellshock vulnerabilities affect Bash, a program that various Unix-based systems use to execute command lines and command scripts. It is often installed as the system's default command line interface. Bash is free software developed collaboratively and overseen since 1992 on a volunteer basis by Chet Ramey, a professional software architect. Analysis of the sourcecode history of Bash shows that the vulnerabilities had existed undiscovered since approximately version 1.13 in 1992. The maintainers of the Bash sourcecode have difficulty pinpointing the time of introduction due to the lack of comprehensive changelogs.

In Unix-based operating systems, and other operating systems that Bash supports, each running program has its own list of name/value pairs called environment variables. When one program starts another program, it provides an initial list of environment variables for the new program. Separately from these, Bash also maintains an internal list of functions, which are named scripts that can be executed from within Bash. Since Bash is both a command interpreter and a command, it is possible to execute Bash from within Bash. When this happens, the original instance can export environment variables and function definitions into the new instance. Function definitions are exported by encoding them within the environment variable list as variables whose values begin with parentheses ("()") followed by a function definition. The new instance of Bash, upon starting, scans its environment variable list for values in this format and converts them back into internal functions. It performs this conversion by creating a fragment of code from the value and executing it, thereby creating the function 'on-the-fly', but affected versions do not verify that the fragment is a valid function definition. Therefore, given the opportunity to execute Bash with a chosen value in its environment variable list, an attacker can execute arbitrary commands or exploit other bugs that may exist in Bash's command interpreter.
Impact
Within an hour of the announcement of the Bash vulnerability, there were reports of machines being compromised by the bug. By 25 September 2014, botnets based on computers compromised with this exploit were being used by attackers for distributed denial-of-service attacks and vulnerability scanning. Kaspersky Labs reported that machines compromised in an attack, dubbed "Thanks-Rob", were conducting DDoSes against three targets, which they did not identify. On 26 September 2014, a botnet based on computers compromised with this exploit was reported. Dubbed "wopbot", the botnet was being used for a distributed denial-of-service (DDoS) attack against Akamai Technologies and to scan the United States Department of Defense.

On 26 September, the security firm Incapsula noted 17,400 attacks on more than 1,800 web domains, originating from 400 unique IP addresses, in the previous 24 hours; 55% of the attacks were coming from China and the United States. By 30 September, Cloudflare said it was tracking approximately 1.5 million attacks and probes per day related to the bug.

To read more see: http://en.wikipedia.org/wiki/Shellshock_(software_bug)
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)