Differences between revisions 12 and 13
Revision 12 as of 2014-09-29 19:15:35
Size: 5051
Editor: cpc16-enfi16-2-0-cust765
Comment: Added link to bashcheck testing script and some accompanying commentary
Revision 13 as of 2014-09-30 14:45:09
Size: 6018
Editor: GreyCat
Comment: more summary
Deletions are marked like this. Additions are marked like this.
Line 4: Line 4:
As of this writing (September 27th, 2014),
the situation with Shellshock is changing so rapidly
that you're probably better off
using your preferred search engine instead of this FAQ.
For example,
you could search a news site for
recent items which contain the word "Shellshock".
"Shellshock" refers to two remotely-exploitable vulnerabilities in Bash, discovered in September 2014. The first vulnerability exploits the mechanism that Bash used to export and import functions, and allowed arbitrary command execution. The second vulnerability exploits a parser bug and allowed local files to be created.
Line 12: Line 6:
A quick summary is this:
 * The most recent updates should now fix all known Shellshock-related vulnerabilities.
 * Many systems were never vulnerable to a remote attack, but it's safer to patch all systems anyway.
 * Other potential problems were identified during the investigation, but are considered separate from the Shellshock bug.
What these vulnerabilities have in common is that they are triggered by Bash scanning the environment, finding malicious data, and stumbling on it. Malicious data can be inserted into the environment by remote attackers in some system configurations, the most common of which is a web server with CGI capability. Most CGI setups pass along user-supplied data (e.g. HTTP user agent) through the environment.

There are official (i.e. issued by Chet Ramey) patches for Bash which fix the Shellshock vulnerabilities. These patches are available for all Bash versions from 2.05b through 4.3. There is also a third official patch which changes how Bash exports and imports functions through the environment. This third patch is believed to close any and all "tainted environment variable" attacks.

Many systems were never vulnerable to a remote attack, but it's safer to patch all systems anyway.

Other potential problems (parser bugs) were identified during the investigation, but are considered separate from the Shellshock bug. These bugs have no remote exploits (so far as we know). As of September 30, 2014 there are no official patches for these bugs. If you are concerned by them, you can try to translate Red Hat's unofficial patches to your version of Bash.

What is the Shellshock vulnerability in Bash?

"Shellshock" refers to two remotely-exploitable vulnerabilities in Bash, discovered in September 2014. The first vulnerability exploits the mechanism that Bash used to export and import functions, and allowed arbitrary command execution. The second vulnerability exploits a parser bug and allowed local files to be created.

What these vulnerabilities have in common is that they are triggered by Bash scanning the environment, finding malicious data, and stumbling on it. Malicious data can be inserted into the environment by remote attackers in some system configurations, the most common of which is a web server with CGI capability. Most CGI setups pass along user-supplied data (e.g. HTTP user agent) through the environment.

There are official (i.e. issued by Chet Ramey) patches for Bash which fix the Shellshock vulnerabilities. These patches are available for all Bash versions from 2.05b through 4.3. There is also a third official patch which changes how Bash exports and imports functions through the environment. This third patch is believed to close any and all "tainted environment variable" attacks.

Many systems were never vulnerable to a remote attack, but it's safer to patch all systems anyway.

Other potential problems (parser bugs) were identified during the investigation, but are considered separate from the Shellshock bug. These bugs have no remote exploits (so far as we know). As of September 30, 2014 there are no official patches for these bugs. If you are concerned by them, you can try to translate Red Hat's unofficial patches to your version of Bash.

Are my bash binaries fixed?

Your OS should have patched bash by now, but maybe you have multiple binaries installed (some by the OS, some by other means) and want to check that all of them are safe. You can copy/paste the following snippet into a terminal emulator running bash or some other posix compliant shell.

Replace /bin/bash and /usr/local/bin/bash with the paths to the bash binaries you have installed/want to test in the for-loop below.

for s in /bin/bash /usr/local/bin/bash ; do
  VAR='() { :;};x=FAIL' "$s" -c 'printf "%-20s CVE-2014-6271 %-4s (%s)\n" "$BASH_VERSION" "${x-OK}" "$0"'
  VAR='() {}>\' "$s" -c '/dev/null x=FAIL;printf "%-20s CVE-2014-7169 %-4s (%s)\n" "$BASH_VERSION" "${x-OK}" "$0"'
done 2>/dev/null

The output will look something like this:

3.2.48(1)-release    CVE-2014-6271 FAIL (/bin/bash)
3.2.48(1)-release    CVE-2014-7169 FAIL (/bin/bash)
4.3.27(1)-release    CVE-2014-6271 OK   (/usr/local/bin/bash)
4.3.27(1)-release    CVE-2014-7169 OK   (/usr/local/bin/bash)

This shows that /usr/local/bin/bash is at version 4.3.27 and patched for both of the issues, while /bin/bash is at version 3.2.48 and fails both (meaning it is vulnerable).

A more comprehensive script called bashcheck is available. In addition to the two above mentioned vulnerabilities, it is able to test for a few others that have since been discovered. Note, however, that these additional vulnerabilities are distinct from Shellshock and are not currently known to be exploitable. At the time of writing, the latest version of bash - bash43-027 - does not have a fix for CVE-2014-7186 (the redir_stack bug).

After things stabilize a bit, this FAQ page should be updated with a better summary. For information about specific vulnerabilities related to Shellshock, you may find better results by searching for terms such as "CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", or "CVE-2014-7187".

In the meantime, here are a few links that should help you get started:


CategoryShell

BashFAQ/111 (last edited 2014-10-09 20:04:09 by GreyCat)