September 25, 2014

CVE-2014-6271 - Remote 'Shellshock' Vulnerability in Bash

Nicholas Griffin Security Researcher

CVE-2014-6271 Overview 

A vulnerability present in Bash up to version 4.3 has been found by Stephane Chazelas.  Bash is a shell program found in a range of Unix-based operating systems such as Linux and Mac OS X - a very large population of affected systems.  The vulnerability (CVE-2014-6271) allows for remote execution of arbitrary commands via crafted environment variables, which can be exploited in a number of ways including over HTTP. Websense® ThreatSeeker® Intelligence Cloud is actively monitoring the situation and will be updating ACE via the ThreatSeeker Network as exploitation attempts in the wild emerge.

How is it exploited?

Any system that allows remote access to the Bash program can be exploited.  Perhaps the most dangerous mechanism for remotely calling Bash is via a crafted HTTP packet that invokes a bash shell with specially crafted environment variables on servers configured to open Bash shells as part of its normal operation.  This would cause the remote server to execute remote commands encoded in the GET request.  Proof-of-concept code for these techniques has been widely published - a blueprint for would-be attackers that will speed the rate of exploitation in the attack community. 

What is the risk?

Websense Security Labs researchers view this as a critical vulnerability which could allow an attacker to gain complete control over a vulnerable server. It is strongly recommended to patch this vulnerability as soon as possible to avoid this. 

What actions should you take?

Patches are starting to become available to mitigate this issue.  However, please think carefully about taking immediate action: 

  1. Make sure to obtain patches from reliable, official sources.
  2. Keep on top of any updates regarding patches, as sometimes the first patches do not fully fix the underlying issue (which we have already seen in initial reports on this vulnerability).
  3. Note that all versions up until, and including, 4.3 are vulnerable unless patched.
  4. Avoid remote access to Bash on affected systems. 

You can obtain the latest patch from the official GNU Bash website.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.