PowerBroker for Unix & Linux helps prevent Shellshock

Like many other people who tinker with UNIX and Linux on a regular basis, BASH has always been my shell of choice. Dating back to the early days moving from Windows to a non-Windows platform, mapping the keys correctly to allow easy navigation and control helped ensure an explosion of use for the shell. Unfortunately, now BASH joins an ever-growing list of tools that expose your systems to some pretty serious hacks. If you haven’t read about this yet, details on the vulnerability can be found here and don’t need to be rehashed in this post:

Redhat Security Blog
SecLists

BeyondTrust has been a longtime proponent of Least Privilege access and has led the way for over a decade with our award-winning PowerBroker for UNIX & Linux solution. Although the solution itself does not contain or use BASH, therefore has no direct exposure, PowerBroker for UNIX & Linux can be used to launch the shell or run scripts that utilize the shell from command processing. For those of you familiar with PowerBroker for UNIX & Linux, you already know that requests are processed centrally and that the solution has complete control of the submit and runtime user environment variables. As such, and based on the information that has been made available so far concerning this vulnerability, a simple update to your PowerBroker for UNIX & Linux policy can render the Shellshock attack useless for both direct shell start requests and shells called as part of a normal shell script initiated by PowerBroker for UNIX & Linux.

There are multiple ways counter the Shellshock attack within your policy: You could, for instance, simply remove any environment variables that start “=()” and then allow the for the command to be processed in the same manner as before. You can also choose to block the command as showing in the example below, which may be preferable for alerting purposes. Simply add the code below in your policy at an appropriate spot (perhaps near the top of your policy):

if (search(env, "*=()*") != -1) {
 reject ("Detected an inappropriate environment variable. Request rejected.");
}

Any attempt to launch the shell now via PowerBroker for UNIX & Linux using pbrun will result in the command being rejected:

$ env x='() { :;}; echo VulX' y='() { :;}; echo VulY' pbrun bash -c 'echo testing'
pbrunVERSION [PID]: Detected an inappropriate environment variable. Request rejected.

You can see what this looks like when attempted on a host protected with PowerBroker for UNIX & Linux here:

It should also be noted that one popular attack vector for this vulnerability is via abusing CGI applications within websites. Native calls that do not include PowerBroker for UNIX & Linux, which is typically the case with CGI, would not be helped. In this case, you can pursue other remedies such as leveraging filtering in your web application firewall and scanning web applications with Retina Web Security Scanner to identify any potential vulnerabilities.

If you need assistance with configuring your PowerBroker for UNIX & Linux implementation to block and alert on these newly discovered attack conditions, please don’t hesitate to contact our highly skilled product specialist support team.

About PowerBroker for UNIX & Linux

PowerBroker for UNIX & Linux allows system administrators to delegate UNIX, Linux and Mac OS X privileges and authorization without disclosing passwords for root or other accounts. The solution can also record all privileged sessions for audits, including keystroke information. Customers use PowerBroker to meet the privileged access control requirements of government and industry mandates including SOX, HIPAA, PCI DSS, GLBA, PCI, FDCC and FISMA.

• Enable users to perform specified administrative tasks without disclosing passwords
• Integrate all policies, roles and log data via a web-based console
• Automate workflows for policies and audit-ready logging
• Broker permissions transparently, ensuring user productivity and compliance
• Record and index all sessions for quick discovery during audits
• Leverage across more than 30 different Unix/Linux platforms