ADVISORY: Remote code execution through bash (CVE-2014-6271)

Friday, September 26, 2014

Vulnerabilities in multiple versions of bash continue to be identified. IIA recommends applying patches for these vulnerabilities as the patches become available from vendors. The links below provide information:


Update as of 4:25 p.m., 9/25/14

See Alert (TA14-268A) GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169) from US-CERT for additional information.


Update as of 1:20 p.m., 9/25/14

Machines running web servers or allowing other types of incoming network connections from the Internet appear to be most at risk. There is some risk to end-user computers through vectors such as rogue DHCP servers, but exploitation is more difficult than for web servers.

Servers should remain a higher priority for patching. End-user linux and Mac machines should be patched as soon as vendor patches are available.

Be aware that you will need to patch more than once. A second, related vulnerability has been identified. It is important to apply the available patches for the protection they provide, but it will also be important to apply additional patches as they become available.


The information below was sent to the U-M IT Security Community and other IT staff groups September 24, 2014.

This message is intended for U-M IT staff who are responsible for maintaining and running university servers. A security vulnerability was announced today that requires immediate remediation. Please read the advisory below to see if servers for which you are responsible are affected and take action if appropriate.

Summary: 

A vulnerability in bash could allow an attacker to execute arbitrary commands on a server, which could result in exposure of sensitive information or negative impact to critical services. (See below for definition of bash.)

Problem: 

Details and sample exploits for the bash vulnerability have been made publicly available. Any service running on a system with a vulnerable version of bash may be susceptible to attack.

Affected Systems: 

Any system that uses a vulnerable version of bash. This includes most linux, Apple, and other unix-like operating systems. The most likely target for exploitation appears to be web servers, but other services may also be affected (such as ssh).

Action Items: 

Apply vendor patches as soon as possible to vulnerable systems (see references below). Web servers that are accessible from the Internet should be prioritized. Servers that allow any other form of access from the Internet should also be patched quickly. An accelerated process for patching all systems that use bash should be considered, regardless of the services provided by the systems and regardless of whether the systems are directly accessible from the Internet.

Threats: 

Exploit code is publicly available. IIA has confirmed that the vulnerability can be used to execute arbitrary commands on vulnerable systems. Because exploitation is simple, widespread exploitation is expected to occur quickly.

Technical Details: 

Vulnerable versions of bash do not properly parse function definitions that are a part of environment variables. By appending additional commands at the end of a function definition, an attacker can cause bash to run those additional commands. Services such as web servers set environment variables when running external commands, such as CGI scripts. An attacker can cause the server to run a command by creating a fake bash function definition and embedding it within data that the web server will use in an environment variable.

Detection: 

IIA will not be scanning campus networks to identify vulnerable systems because a reliable method for remotely detecting vulnerable systems is not available.

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.

References: 

ABOUT BASH: Bash is a unix shell. A Unix shell is basically a user interface to a system running some form of Unix-like operating system. Bash typically runs in a text window where the user can type commands, but is also frequently used when services such as web servers run scripts or programs on a server. For more information, see the Wikipedia entries for Bash (Unix shell) and Unix shell.