Critical Vulnerability in the Bourne Again Shell (BASH) aka ShellShock

Transcription

1 Critical Vulnerability in the Bourne Again Shell (BASH) aka ShellShock This advisory was updated on 29 September 2014 to include additional details of 3 new vulnerabilities (CVE , CVE , CVE ) and to assist affected parties in detecting and protecting affected systems. The GNU Bash shell contains a critical vulnerability that potentially allows remote code execution by an unauthenticated user. Many Unix-based operating systems are affected, including Linux and MacOSX. Other systems that include Bash, such as embedded industrial control systems, are also known to be affected. Automated malicious activity targeting this vulnerability has been publicly reported. Recommendations CERT Australia recommends the following defensive measures: Patch affected Internet facing systems at the earliest opportunity, and monitor vendor advisories for further updates. Be aware that details relating to the vulnerability and its exploitation are rapidly evolving and should be closely monitored. Work closely with security vendors to determine if they have effective detection and mitigation strategies, and application vendors to determine which products are affected. Internet facing systems should be closely monitored for related activity and detected incidents should be reported to CERT Australia. Follow good cyber security practices to secure internet connected devices: o Block unnecessary inbound traffic at the firewall o Disable unnecessary services running on devices o If running web server software, ensure it runs from low privilege accounts o Filtering input to websites, through a Web Application Firewall, can also help to limit impact o Ensure logging and auditing functionality is enabled and actively monitored

2 Details Bash is a widely used program included by default on many non-windows operating systems including Unix, Linux and MacOSX as well as in embedded systems ranging from home routers to industrial controllers. Versions of Bash released from as early as 1995 (version 1.14) and onwards are affected. The Bash shell is a general purpose interface to Unix-like operating systems and is utilised by a wide range of applications including, for example, web servers, remote login services such as SSH and DHCP client software which interacts with a remote service to configure a device s network settings. All applications which utilise Bash are potentially affected by this vulnerability. Multiple vulnerabilities in Bash have been identified, including the initial vulnerability (CVE ) which was incompletely patched leading to the discovery of a further vulnerability (CVE ). With the increased attention on Bash, further vulnerabilities have been discovered including (CVE , CVE and CVE ). Those affected should continuously monitor for updates and apply them as they become available. Improper Input Validation (CVE ) Bash versions up to 4.3 process commands placed after function declarations that are assigned to environment variables. The vulnerability allows remote attackers to execute arbitrary commands by crafting a specially formatted environment variable. This vulnerability potentially affects all applications which invoke a Bash shell, including Apache servers that use CGI, OpenSSH, DHCP client scripts, to name only a few. env x='() { :;}; echo vulnerable' bash -c echo "this is a test" A vulnerable system will output the following: vulnerable this is a test

3 An unaffected (or patched) system will output: bash: warning: x: ignoring function definition attempt bash: error importing function definition for 'x' this is a test or simply; this is a test Improper Input Validation (CVE ) The patch that was released to address CVE was incomplete. Functions declared in environment variables could still be manipulated to achieve unintended command execution. env X='() { (teststring)=>\' bash -c "echo date"; cat echo ; rm -f echo A vulnerable system will output todays date: eg. Mon Sep 29 12:46:52 EST 2014 (it may also show errors). An unaffected (or patched) system will output the word "date" instead of the actual date (it may also show errors). Improper Input Validation (CVE ) The redirection implementation in parse.y in GNU Bash through 4.3 bash allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue. bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' echo "CVE vulnerable, redir_stack"

4 A vulnerable system will output the following: CVE vulnerable Improper Input Validation (CVE ) An off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue. for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) bash echo "CVE vulnerable, word_lineno" A vulnerable system will output the following: CVE vulnerable Improper Input Validation (CVE ) GNU Bash through 4.3 bash does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE and CVE foo='() { echo not patched; }' bash -c foo A vulnerable system will output the following: not patched

5 Resources Further details about this vulnerability: NVD Vulnerability Summary (CVE ) NVD Vulnerability Summary (CVE ) NVD Vulnerability Summary (CVE ) NVD Vulnerability Summary (CVE ) NVD Vulnerability Summary (CVE ) US-CERT Alert (TA14-268A) CERT-UK Alert (Bash Vulnerability AKA SHELLSHOCK) CERT/CC Vulnerability Note VU# (includes affected products list) Digital Bond The Bash Bug and You (confirmed vulnerabilities in ICS) Affected Products List CERT/CC Vulnerability Note VU# (includes links to vendor patches and advisories) Feedback CERT Australia (the CERT) welcomes any feedback you may have with regard to this publication and/or the services we provide or This document remains the property of the Australian Government. The information contained in this document is for the use of the intended recipient only and may contain confidential or privileged information. If this document has been received in error, that error does not constitute a waiver of any confidentiality, privilege or copyright in respect of this document or the information it contains. This document and the information contained herein cannot be disclosed, disseminated or reproduced in any manner whatsoever without prior written permission from the Executive Manager, CERT Australia, Attorney-General's Department, 3-5 National Circuit, Barton ACT The material and information in this document is general information only and is not intended to be advice. The material and information is not adapted to any particular person s circumstances and therefore cannot be relied upon to be of assistance in any particular case. You should base any action you take exclusively on your own methodologies, assessments and judgement, after seeking specific advice from such relevant experts and advisers as you consider necessary or desirable. To the extent permitted by law, the Australian Government has no liability to you in respect of damage that you might suffer that is directly or indirectly related to this document, no matter how arising (including as a result of negligence.

6