← Back to the Blog

Shellshock: A Bash Exploit

By Tim Butler
Shellshock: A Bash Exploit

Bash (known as the Bourne again shell) provides the unix shell environment and is the default shell for many operating systems such as RedHat, CentOS and Apple OSX. Unfortunately an exploit has been discovered in the shell, which allows arbitary code to be executed when set in an environment variable. This exploit has been nicknamed "shellshock", but is officially referred to by CVE identifier, CVE-2014-6271.

From a webserver perspective, a carefully crafted CGI call could exploit this vulnerability. Conetix has been monitoring this bug since it was first announced and has been taking proactive steps to mitigate the likelihood of attack or successful exploit. We receive notifications through a number of security mailing lists, vendor based updates as well as peer forums in which matters like this are discussed.

In the last 24 hours, exploits have been found "in the wild", so we have therefore increased our initial risk assessment and deemed this to be Critical.

What has Conetix done about it?

Upon first notification, Conetix forced an update across all of our critical infrastructure. As we use an orchestrated management system which covers system packages, this was a simple task and completed within a few hours of the notification. At that stage, no known exploits were available. We then started running a full risk analysis on the situation.

Secondly, Conetix has been systematically updating all systems, including client VPS's. After initial testing on selected systems, we then pushed updates to all VPS's to ensure it would not cause any impact for further deployment. This has already been completed.

Thirdly, through the Intrusion Protection we have in place within our core firewalls, we have updated rules in place which drop any of the crafted CGI attacks. While no further systems should be exploitable regardless, this will also give us detailed logging on what the level of attempted attacks are and the ability to monitor for any anomalies.

What do I need to do?

If all of your infrastructure is hosted with Conetix, nothing. As the updates didn't involve any downtime, we automatically deployed the updates to all systems within our infrastructure. If you would like to confirm that you're no longer vulnerable, you'll need to ssh into your VPS and run a test to confirm. Conetix highly recommends this is run to provide further confidence in the mitigation processes we have put in place for this exploit. Here's a quick test:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Any system which prints "vulnerable" to the screen has not been patched. On a patched system, this will generate an error and therefore not vulnerable.

If you have servers outside of Conetix, you will also need to ensure that they have been updated. 

Further Reading

http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

https://gigaom.com/2014/09/25/the-critical-shellshock-flaw-affects-many-linux-and-apple-systems-heres-what-you-need-to-know/