Remote vulnerability in bash – patches available for CVE-2014-6271, CVE-2014-7169

Bash or the Bourne again shell, is a UNIX like shell, which is perhaps one of the most installed utilities on any Linux system. From its creation in 1980, bash has evolved from a simple terminal based command interpreter to many other fancy uses.

In Linux, environment variables provide a way to influence the behavior of software on the system. They typically consists of a name which has a value assigned to it. The same is true of the bash shell. It is common for a lot of programs to run bash shell in the background. It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc)

A remotely exploitable vulnerability was discovered and disclosed publicly today by Stephane Chazelas, and it is extremely unpleasant. The vulnerability has the CVE identifier CVE-2014-6271.

As you may know, bash supports exporting shell variables as well as shell functions to other bash instances. This is accomplished through the process environment to a child process.

The major attack vectors that have been identified in this case are:

  • HTTP requests and CGI scripts
  • OpenSSH using the SSH_ORIGINAL_COMMAND setting
  • Various daemons and SUID/privileged programs
  • Any other application using bash as the interpreter

Like “real” programming languages, Bash has functions, though in a somewhat limited implementation, and it is possible to put these bash functions into environment variables. This flaw is triggered when extra code is added to the end of these function definitions (inside the environment variable). Something like:


$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

The patch used to fix this flaw, ensures that no code is allowed after the end of a bash function. So if you run the above example with the patched version of bash, you should get an output similar to:


$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

We will continue to monitor the situation very closely. We expect proof of concept (PoC) exploits to be authored and distributed over the next few days. There is also the potential for variants of the original vulnerability, which may require further patching if other attack vectors or methods are found.

If you have any servers connected to the internet with bash installed, it is strongly recommended that you update bash. Many Linux distributions have already released a patched bash package into their repositories.



Sources:
http://www.pcworld.com/article/2687857/bigger-than-heartbleed-shellshock-flaw-leaves-os-x-linux-more-open-to-attack.html
​https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
​http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html
http://linux.slashdot.org/story/14/09/24/1638207/remote-exploit-vulnerability-found-in-bash
​http://seclists.org/oss-sec/2014/q3/651



Update: 9/25/2014 4:00PM EDT

We have become aware that the patch for CVE-2014-6271 is incomplete. An attacker can still provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. See also Resolution for Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) in Red Hat Enterprise Linux. RedHat and CentOS are working on patches in conjunction with the upstream developers as a critical priority.

Red Hat advises customers to upgrade to the version of Bash which contains the fix for CVE-2014-6271, and not wait for the patch which fixes CVE-2014-7169. CVE-2014-7169 is a less severe issue and patches for it are being worked on.



Update: 9/26/2014 10:00AM EDT

We have obtained patches for CVE-2014-7169 and we strongly advise everyone update their systems immediately!

Download patches