A major vulnerability was recently discovered within bash which allows arbitrary command execution via specially crafted environment variables. This is possible due to the fact that bash supports the assignment of shell functions to shell variables. When bash parses environment shell functions, it continues parsing even after the closing brace of the function definition. If any trailing commands are appended to the assignment, bash will execute them. For example, consider the following environment variable assignment:
VAR="() { echo 'test'; }"
This assigns a shell function to the variable VAR (notice how the function definition is contained within open and closed braces {}). Now consider the next assignment:
VAR="() { echo 'test'; }; chmod 666 /etc/shadow"
This assignment has an additional command (; chmod 666 /etc/shadow) appended AFTER the function definition which will be executed when spawning a new instance of a vulnerable bash shell.
The implications of this vulnerability are staggering considering that network-based remote exploitation is possible. The biggest attack vector would be HTTP requests to CGI scripts due to the fact that CGI will make heavy use of environment variables, when written in bash or when spawning subshells. Potential exploitable environment variables include REMOTE_HOST, HTTP_CUSTOM, and SERVER_PROTOCOL, where these can be manipulated into shell functions with arbitrary commands appended to them.
OpenSSH is another potential attack vector when the AcceptEnv configuration setting is used. In this case, exploitable environment variables include TERM and SSH_ORIGINAL_COMMAND. Also, this vulnerability can potentially bypass command execution limits enforced by the ForceCommand configuration setting.
Finally, many Linux / Unix daemons with SUID privileges may execute shell scripts where environment variables can be influenced by a user, opening the door for local exploitation and privilege escalation.
Note: This vulnerability is not limited to Linux systems. Mac OS X includes a vulnerable version of bash which, as of this writing, Apple has not yet released a patch for.
BeyondTrust is helping to combat this issue by supplying its customers with the following audit updates for Retina Vulnerability Management products as of audit release 2820:
Generic:
31615 – Bash Remote Code Execution Vulnerability – CVE-2014-6271
35314 – Bash Remote Code Execution Vulnerability – CVE-2014-7169
33606 – Bash Remote Code Execution Vulnerability – CGI Remote **
Apple OS X:
33975 - Apple OS X bash Update 1.0 (HT6495) - Mavericks
35351 - Apple OS X bash Update 1.0 (HT6495) - Mountain Lion
35352 - Apple OS X bash Update 1.0 (HT6495) - Lion
CentOS:
31428 – CESA-2014:1293 – bash security update
35304 – CESA-2014:1306 – bash security update
Debian:
31425 – DSA-3032 – bash
35302 – DSA-3035 – bash
Fedora:
31434 – FEDORA-2014-11503 – bash-4.2.47-2.fc19
35308 – FEDORA-2014-11514 – bash-4.2.48-2.fc19
35297 – FEDORA-2014-11360 – bash-4.2.47-4.fc20
35307 – FEDORA-2014-11527 – bash-4.2.48-2.fc20
FreeBSD:
35377 - FreeBSD - bash (71ad81da-4414-11e4-a33e-3c970e169bc2)
35379 - FreeBSD - bash (4a4e9f88-491c-11e4-ae2c-c80aa9043978)
35378 - FreeBSD - bash (512d1301-49b9-11e4-ae2c-c80aa9043978)
Gentoo:
33681 – GLSA 201409-09 – bash
35303 – GLSA 201409-10 – bash
Mandriva:
32375 – MDVSA-2014:186 – bash
35313 – MDVSA-2014:190 – bash
Oracle Linux:
34280 – ELSA-2014-1293 – bash security update
35306 – ELSA-2014-1294 – bash security update
35305 – ELSA-2014-1306 – bash security update
Red Hat Enterprise Linux:
35295 – RHSA-2014:1293 – bash security update
35309 – RHSA-2014:1294 – bash security update
34281 – RHSA-2014:1306 – bash security update
35322 – RHSA-2014:1311 – bash security update
Scientific Linux:
32376 – SLSA-2014:1293 – bash security update
34936 – SLSA-2014:1306 – bash security update
Slackware:
33684 – SSA:2014-267-01 – bash – 13.0
35310 – SSA:2014-268-01 / SSA:2014-268-02 – bash – 13.0
33683 – SSA:2014-267-01 – bash – 13.1/13.37
35311 – SSA:2014-268-01 / SSA:2014-268-02 – bash – 13.10/13.37
35296 – SSA:2014-267-01 – bash – 14.0/14.1
35312 – SSA:2014-268-01 / SSA:2014-268-02 – bash – 14.0/14.1
35348 – SSA:2014-272-01 – bash – 14.0/1
35349 – SSA:2014-272-01 – bash – 13.1/37
35350 – SSA:2014-272-01 – bash – 13.0
Solaris:
35316 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 11.2 (11.2.2.7.0)
35317 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 11.1 (IDR1401.2)
35323 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 11.1 (IDR1400.2)
35328 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 10 x86 (126547-06)
35329 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 10 SPARC (126546-06)
35331 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 9 x86 (149080-01)
35332 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 9 SPARC (149079-01)
35333 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 8 x86 (IDR151575-02)
35334 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 8 SPARC (IDR151576-02)
35335 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 11.2 (11.2.2.8.0)
35336 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 10 x86 (IDR151578-02)
35338 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 10 SPARC (IDR151577-02)
35339 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 9 x86 (IDR151574-02)
35340 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 9 SPARC (IDR151573-02)
35341 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 8 x86 (IDR151575-02)
35342 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 8 SPARC (IDR151576-02)
SuSE:
35298 – SUSE-SU-2014:1212 – bash
35299 – SUSE-SU-2014:1213-1 – bash – server 10
35300 – SUSE-SU-2014:1213-1 – bash – server 11
35301 – SUSE-SU-2014:1214-1 – bash
35325 – openSUSE-SU-2014:1254 – bash
35320 – SUSE-SU-2014:1247 – bash – 11
35321 – SUSE-SU-2014:1247 – bash – 10
35355 - SUSE-SU-2014:1259-1 - bash
Ubuntu:
31417 – USN-2362-1 – Bash vulnerability
35071 – USN-2363-1 – Bash vulnerability
35093 – USN-2364-1 – Bash vulnerability
VMware:
35364 - VMSA-2014-0010: Multiple Products Bash Vulnerability - ESX 4.1
35365 - VMSA-2014-0010: Multiple Products Bash Vulnerability - ESX 4.0
35366 - VMSA-2014-0010: Multiple Products Bash Vulnerability - vC Appliance
35375 - VMSA-2014-0010: Multiple Products Bash Vulnerability - vC Log Insight
Additional audits will be updated here as they are released. Please note that the above audits are covering the current set of "Shellshock" CVEs, which include CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278.
** Due to the nature of this vulnerability not every remote attack vector is able to be audited in an uncredentialed manner. We will continue to add any new capabilities we can that allow for auditing without credentials. This audit currently queries a few common CGI locations in order to determine if web based attack vectors might be possible.
Revisions:
2014-10-03 @ 3:40 PM PT: Audits related to revision 2820 added.
2014-10-02 @ 9:50 AM PT: Audits related to revision 2819 added.
2014-09-29 @ 6:11 PM PT: Audits related to revision 2818 added.
2014-09-26 @ 5:04 PM PT: Audits related to revision 2817 added.
2014-09-26 @ 12:20 PM PT: Audits related to revision 2816 added.
2014-09-25 @ 10:19 PM PT: Audits related to revision 2815 added.
2014-09-24 @ 7:15 PM PT: Original post.
Scott Lang, Sr. Director, Product Marketing at BeyondTrust
Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.