This article is more than 1 year old
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Sysadmins and users have been urged to patch the severe Shellshock vulnerability in Bash on Linux and Unix systems – as hackers ruthlessly exploit the flaw to compromise or crash computers.
But as "millions" of servers, PCs and devices lay vulnerable or are being updated, it's emerged the fix is incomplete.
The flaw affects the GNU Bourne Again Shell – better known as Bash – which is a widely installed command interpreter used by many Linux and Unix operating systems – including Apple's OS X.
It allows miscreants to remotely execute arbitrary code on systems ranging from web servers, routers, servers and Macs to various embedded devices that use Bash, and anything else that uses the flawed open-source shell.
An attacker needs to inject his or her payload of code into the environment variables of a running process – and this is surprisingly easy to do, via Apache CGI scripts, DHCP options, OpenSSH and so on. When that process or its children invoke Bash, the code is picked up and executed.
The Bash flaw – designated CVE-2014-6271 – is being exploited in the wild against web servers, which are the most obvious targets but not by any means the only machines at risk.
Patches released on Wednesday by Linux vendors, the upstream maintainer of Bash, and others for OS X, blocked these early attacks, but it's understood they do not completely protect Bash from code injection via environment variables.
New packages of Bash were rolled out on the same day, but further investigation made it clear that the patched version is still exploitable, and at the very least can be crashed due to a null-pointer exception. The incomplete fix is being tracked as CVE-2014-7169.
Red Hat, at time of writing, is urging people to upgrade to the version of Bash that fixes the first reported security hole, and not wait for the patch that fixes the secondary lingering vulnerability – designated CVE-2014-7169.
"CVE-2014-7169 is a less severe issue and patches for it are being worked on," the Linux maker said.
Meanwhile, although Ubuntu and other Debian-based distros have moved to using the non-vulnerable Dash over Bash, the latter may well be present or in use by user accounts. Above all, check what shell interpreters are installed, who is using them, and patch CVE-2014-6271 immediately.
The bash patch seems incomplete to me, function parsing is still brittle. e.g. $ env X='() { (a)=>\' sh -c "echo date"; cat echo
— Tavis Ormandy (@taviso) September 24, 2014
The above code can be used to drop files onto patched systems and execute them, as explained here. Completely unpatched servers and computers can be exploited to open reverse command shells – a backdoor, basically – or reboot them (or worse) if they connect to a malicious DHCP server.
The main CVE-2014-6271 flaw was discovered by Stephane Chazelas before it was responsibly disclosed. A Metasploit module leveraging the bug is already available. A blog post by Metasploit developers Rapid7 explains the grim state of play.