Having trouble viewing Cygnet-Infotech Site® ? It's because the browser you are using is not supported. Please upgrade to one of the latest versions.

    Shellshock Bash Software Bug Top 7 Questions Answered

    Share 0 Comment -

    shellshock-bash-software-bug-top-7-questions-answered

    The memories of Heartbleed bug have not yet faded, and the IT security world is jolted by Shellshock. Also known as Bash Bug and Bash Door, this bug was discovered by Stéphane Chazelas, Akami security researcher and UNIX/Linux expert on 12 September, 2014. On 24 September, United States Computer Emergency Readiness Team reported that the bug affected Unix-based operating systems (mainly Linux and Mac OS X).

    Who does the Bash Bug affect? What are the dangers? Are you at risk? What can you do to avoid getting hurt by it? How do hackers exploit it?

    We answer these and other key questions related to the Shellshock bug for you. Let’s start with the most important question.

    1. How to find out if your systems are at threat?

    Shellshock vulnerabilities CVE-2014-6271 and CVE-2014-7169 are critical. Red Hat has provided a script that you can use to check whether your system is vulnerable.

    For CVE-2014-6271, you can enter the following script:

    env X="() { :;} ; echo vulnerable " `which bash` -c "echo completed"

    If you see the following message, it means your system is vulnerable:

    output :

    vulnerable

    completed

    If your system is not vulnerable, you'll see something like this:

    output :


    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    completed

    OR

    output :


    completed


    Alternately, you can simply send an HTTP request to your IP address:


    Target = 192.192.0.0
    Port = 80
    Banners = true
    Http-user-agent = test
    Http-header = Cookie:() { :; }; ping -c n xxx.xxx.xxx.xx
    Http-header = Host:() { :; }; ping -c n xxx.xxx.xxx.xx
    Http-header = Referer:() { :; }; ping -c n xxx.xxx.xxx.xx

    You can use software like Wireshark. If you get a ping back, it means that the command has been executed and you are at risk.

    2. How can system admins mitigate the risks of a Shellshock-based hacker attack?

    The developer who discovered the bug says that the best solution would be to move to using some other shell. But that would be a difficult and time-consuming process for most.

    Thankfully, there are several patches available now for CVE-2014-6271 (and CVE-2014-7169) – the latest are pretty good at mitigating the risks. For Linux, Red Hat have issued a number of patches; you can apply the latest patch within seconds. Other issues, most notably CVE-2014-7169 within Bash are also being addressed.

    However, “Red Hat advises customers to upgrade to the version of Bash which contains the fix for CVE-2014-6271 and not wait for the patch which fixes CVE-2014-7169. CVE-2014-7169 is a less severe issue and patches for it are being worked on.”

    To ensure security, four steps are essential:

    • Apply the relevant patch to your system
    • Test to find out if the patch has removed the threat
    • Guard against rogue servers, protect access points
    • Update network security, anti-virus and firmware programs

    3. What is Shellshock / Bash Bug / Bash Door?

    To understand the bug, we need to look at what ‘BASH’ is. Bash (Bourne Again SHell) is a Unix Shell. Brian Fox wrote it as a part of GNU project to replace Bourne shell. While most users don’t come in contact with Bash, programmers know that Bash can be used to issue commands to a UNIX-based computer using text inputs in a text window. More importantly, Bash acts a command interpreter and runs commands passed to it by applications.

    There is a loophole in Bash that hackers can potentially exploit to gain control over a target computer. As the vulnerability affects Bash, the bug is also known as Bash Bug or Bash Door. After the first bug was uncovered, several other bugs from the same family have also been discovered.

    4. What is the exact nature of the Bash vulnerability?

    Bash executes commands sent to it by applications. Many types of commands can be sent to Bash. IT security giant Symantec outlines how this vulnerability can be exploited by malicious hackers: “One type of command that can be sent to Bash allows environment variables to be set. Environment variables are dynamic, named values that affect the way processes are run on a computer. The vulnerability lies in the fact that an attacker can tack-on malicious code to the environment variable, which will run once the variable is received.”

    In simpler words, it is possible for hackers to exploit this vulnerability to control systems that use Bash.

    5. How severe is the threat?

    An Engineering Manager at security firm Rapid7, Tod Beardsley, said, “On a scale of 1 to 10, this is an 11.” The US Government has rated it “10 out of 10” for severity. Not only will the bug affect about 500 million devices across the world, but even novice hackers can exploit the loophole without too much effort. Apart from all systems utilizing UNIX – primarily Mac OS X and Linux – Bash is used in several firewalls, routers, Netscalers, iPhone DCPH and more. This puts lots of personal computers as well as corporate systems at risk.

    6. How can hackers exploit this bug?

    Exploiting the loophole, hackers can inject commands in the systems without authentication. This can help malicious users get a foothold in the system. After initial access the hacker can set environment variables to get more privileges and could theoretically even gain root access. Symantec’s graphic shows how it works:

    Symantec

    7. What systems are vulnerable to Shellshock threat?

    Bash bug threatens any Internet connected systems that use BASH. Most web servers use Bash, so any unpatched web server can be a potential target. Even personal systems running Linux in the background can be exploited. As Bash has been around for decades, it is baked into millions of systems and can potentially impact hundreds of millions of systems. Mainly, the following will be most impacted:

    • HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid)
    • Certain DHCP clients.
    • OpenSSH servers that use the ForceCommand capability.
    • Various network-exposed services that use Bash

    At Cygnet, we are aware of risks posed by Shellshock / Bash Bug, and are taking every precaution to safeguard our clients' systems and our own systems from a Shellshock-based attack.

About Cygnet

Our motto ‘IT is About You’ is more than just a tag line – it is the very heart of Cygnet. We always ensure the continued success of our clients and employees by placing problem solving ahead of anything else and walking the extra mile when needed.