Posts

Shellshock/Bash Vulnerability

Shellshock/Bash is a major new vulnerability that affects Unix, Linux and Mac users. This remote code execution vulnerability exists in almost every version of the GNU Bourne Again Shell (Bash). See CVE-2014-6271 in National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

Description of CVE-2014-6271:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in
OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

In our assessment, attacks over the internet via HTTP by worms or scripts are the biggest risk to organizations. A sample of HTTP attacks can be found at the following location:
http://pastebin.com/ebDeRd8U

Vulnerable Software and Versions:

* cpe:/a:gnu:bash:1.14.0
* cpe:/a:gnu:bash:1.14.1
* cpe:/a:gnu:bash:1.14.2
* cpe:/a:gnu:bash:1.14.3
* cpe:/a:gnu:bash:1.14.4
* cpe:/a:gnu:bash:1.14.5
* cpe:/a:gnu:bash:1.14.6
* cpe:/a:gnu:bash:1.14.7
* cpe:/a:gnu:bash:2.0
* cpe:/a:gnu:bash:2.01
* cpe:/a:gnu:bash:2.01.1
* cpe:/a:gnu:bash:2.02
* cpe:/a:gnu:bash:2.02.1
* cpe:/a:gnu:bash:2.03
* cpe:/a:gnu:bash:2.04
* cpe:/a:gnu:bash:2.05
* cpe:/a:gnu:bash:2.05:a
* cpe:/a:gnu:bash:2.05:b
* cpe:/a:gnu:bash:3.0
* cpe:/a:gnu:bash:3.0.16
* cpe:/a:gnu:bash:3.1
* cpe:/a:gnu:bash:3.2
* cpe:/a:gnu:bash:3.2.48
* cpe:/a:gnu:bash:4.0
* cpe:/a:gnu:bash:4.0:rc1
* cpe:/a:gnu:bash:4.1
* cpe:/a:gnu:bash:4.2
* cpe:/a:gnu:bash:4.3

What Should You Do?

1. If you are a user of our ProSCAN/Qualys Vulnerability scanning service, please contact us to schedule an emergency scan.
2. If you are using another vulnerability scanning tool, follow your vendor’s instructions.
3. Use official repositories to upgrade to the current release.
4. Verify with your vendors that this vulnerability has been patched.

What Else is Proficio Doing?

Proficio has patched any vulnerable systems within our own infrastructure. We are actively gathering indicators of attack and compromise and looking to apply detection indicators into our monitoring service.

Please feel free to contact us to discuss the best action for your organization.