What
is #shellshock?
Shellshock
(CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277,
CVE-2014-6278) is a vulnerability in GNU's bash shell that gives attackers
access to run remote commands on a vulnerable system. If your system has not
updated bash in since Tue Sep 30 2014: 1:32PM EST you're most definitely
vulnerable and have been since first boot. This security vulnerability affects
versions 1.14 (released in 1994) to the most recent version 4.3 according to
NVD.
The
following can be found at:
Shellshock, also known as Bashdoor, is a family of security
bugs in the widely used Unix Bash shell, the first of which was disclosed on 24
September 2014. Many Internet daemons, such as web servers, use Bash to process
certain commands, allowing an attacker to cause vulnerable versions of Bash to
execute arbitrary commands. This can allow an attacker to gain unauthorized
access to a computer system.
The bugs cause Bash to unintentionally execute commands when
they are stored in specially crafted environment variables. Within days of the
initial vulnerability, a series of further related vulnerabilities in Bash were
found, leading to the need for further patches.
By 25 September 2014, botnets based on computers compromised
with the bug were being used by attackers for distributed denial-of-service
attacks and vulnerability scanning. Millions of attacks and probes related to
the bug were recorded by security companies in the days following the
disclosure.[7][8] The bug could potentially be used to compromise millions of
servers and other systems, and it has been compared to the Heartbleed bug in
its severity.
Stéphane Chazelas discovered the original bug on 12 September
2014 and suggested the name "bashdoor". The bug was assigned the CVE
identifier CVE-2014-6271. Analysis of the sourcecode history of Bash shows that
the vulnerabilities had existed since approximately 1992.
Apple Inc. commented that most Mac users were likely not
affected, unless they were advanced users. Although notified of the
vulnerability before it was made public, the company did not release a
corresponding OS X update until 29 September, but it did not fix all known
vulnerabilities.
Background
The Shellshock vulnerabilities affect Bash, a program that
various Unix-based systems use to execute command lines and command scripts. It
is often installed as the system's default command line interface. Bash is free
software developed collaboratively and overseen since 1992 on a volunteer basis
by Chet Ramey, a professional software architect. Analysis of the sourcecode
history of Bash shows that the vulnerabilities had existed undiscovered since
approximately version 1.13 in 1992. The maintainers of the Bash sourcecode have
difficulty pinpointing the time of introduction due to the lack of
comprehensive changelogs.
In Unix-based operating systems, and other operating systems
that Bash supports, each running program has its own list of name/value pairs
called environment variables. When one program starts another program, it
provides an initial list of environment variables for the new program.
Separately from these, Bash also maintains an internal list of functions, which
are named scripts that can be executed from within Bash. Since Bash is both a
command interpreter and a command, it is possible to execute Bash from within
Bash. When this happens, the original instance can export environment variables
and function definitions into the new instance. Function definitions are
exported by encoding them within the environment variable list as variables
whose values begin with parentheses ("()") followed by a function
definition. The new instance of Bash, upon starting, scans its environment
variable list for values in this format and converts them back into internal
functions. It performs this conversion by creating a fragment of code from the
value and executing it, thereby creating the function 'on-the-fly', but
affected versions do not verify that the fragment is a valid function
definition. Therefore, given the opportunity to execute Bash with a chosen
value in its environment variable list, an attacker can execute arbitrary
commands or exploit other bugs that may exist in Bash's command interpreter.
Impact
Within an hour of the announcement of the Bash
vulnerability, there were reports of machines being compromised by the bug. By
25 September 2014, botnets based on computers compromised with this exploit
were being used by attackers for distributed denial-of-service attacks and
vulnerability scanning. Kaspersky Labs reported that machines compromised in an
attack, dubbed "Thanks-Rob", were conducting DDoSes against three
targets, which they did not identify. On 26 September 2014, a botnet based on computers
compromised with this exploit was reported. Dubbed "wopbot", the
botnet was being used for a distributed denial-of-service (DDoS) attack against
Akamai Technologies and to scan the United States Department of Defense.
On 26 September, the security firm Incapsula noted 17,400
attacks on more than 1,800 web domains, originating from 400 unique IP
addresses, in the previous 24 hours; 55% of the attacks were coming from China
and the United States. By 30 September, Cloudflare said it was tracking
approximately 1.5 million attacks and probes per day related to the bug.
