We at INFINIT are always on top of all security threats. This latest threat affects the BASH shell, used by many UNIX and Linux systems.
BASH Vulnerability CVE-2014-6271 Security Brief
OVERVIEW
On 9/24/2014, a vulnerability in BASH (Bourne-Again SHell) was discovered and reported to the National Institute of Standards and Technology (NIST). The vulnerability has been assigned CVE-2014-6271. BASH is installed on most UNIX and linux systems and is commonly configured as the default shell.
The vulnerability takes advantage of how BASH processes environment variables to execute commands on the target system. Environment variables can be set through any method available which allows the attacker to interact or pass input to BASH.
RISK – HIGH
The system is vulnerable through authenticated or brute forced SSH/telnet sessions and via exposed web libraries (CGI, Python, Perl, etc) that are configured to pass input to a shell script which uses BASH as the interpreter. The vulnerability is remotely exploitable via the Internet if any of these services are exposed to the Internet. Common ports for web services include 80, 8080, 443, however many web management interfaces are configured to use custom ports. Please check with your vendor configuration documentation to determine which port your service uses.
Exploits for this vulnerability have been published and are easily obtainable. The vulnerability is not limited to “Servers”. Appliances and devices with a web interface or exposed shell interfaces are also vulnerable. Examples include: Web Management interfaces for appliances and devices such as IP Phones, Network Attached Storage Devices, Wireless Routers with Web Interfaces, and other web services.
ACTIONS AND REMEDIATIONS
It is recommended to patch BASH at the earliest possibility. Please check with your Operating System and Vendor websites for patch availability. Most popular Operating Systems such as CentOS, Ubuntu, and Redhat have already released patches for this vulnerability. Any appliances and virtual appliances running UNIX or linux may be vulnerable as well so please include them in any testing and patching conducted.
CRITICALITY
CVSS Score |
10 (HIGH) |
Impact Score |
10 |
Exploitability Score |
10 |
Exploits Available? |
Yes |
Remotely Exploitable? |
Yes |
REFERENCES
Redhat Security Blog
NIST CVD Listing
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
Redhat Resolution Post
https://access.redhat.com/solutions/1207723
CentOS Post
http://lists.centos.org/pipermail/centos/2014-September/146099.html
Novell Post
http://support.novell.com/security/cve/CVE-2014-6271.html
Manual Method for Testing If Your Operating System is Vulnerable
http://www.volexity.com/blog/?p=19
Technical Information About the Vulnerability
http://seclists.org/oss-sec/2014/q3/650
UPDATE
Test here to see if you are vulnerable: https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-shellshock-bash-vulnerability