Protecting Yourself Against Shellshock
Note: This is a developing story. Check Point will provide updates as additional information becomes available. Check Point strongly encourages organizations to take action and understands how fixes and protections work in order to minimize their exposure and avoid introducing new problems.
What is Bash and Shellshock?
Bourne Again Shell, also referred to as Bash is a command-line shell used commonly in Apple MAC OS X and Linux/UNIX operating systems. On September 25th, “Shellshock”, a critical vulnerability related to Bash was discovered (CVE-2014-6271 and CVE-2014-7169). According to the US-CERT, if exploited, this vulnerability enables attackers to remotely execute shell commands by attaching malicious code in environment variables used by the operating system.
It is important to note here that CVE-2014-7169 supersedes CVE-2014-6271. Solutions for CVE-2014-6271 do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-7169.
In what ways might this vulnerability be exploited?
GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. Many UNIX-like operating systems, including Linux distributions, BSD variants, and Apple Mac OS X include Bash and are likely to be affected. Critical instances where the vulnerability may be exposed include:
- Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn subshells.
- Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities.
- Allow arbitrary commands to run on a DHCP client machine, various Daemons and SUID/privileged programs.
- Exploit servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other program that use Bash to execute scripts.
In what ways might this vulnerability be exploited? How dangerous is the GNU Bash vulnerability?
The scope of the Shellshock vulnerability is much more pronounced than the OpenSSL Heartbleed vulnerability. Heartbleed allowed remote access to small amount of data in the memory of affected machines. Shellshock enables remote code injection of arbitrary commands without any authentication. This is deemed exponentially more dire.
Affected Operating Systems
- GNU Bash through 4.3
- Linux, BSD, and UNIX distributions including but not limited to:
- Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
- CentOS (versions 5 through 7)
- Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
- Debian
- Mac OS X
How does Shellshock affect you and your organization?
This vulnerability is classified by industry standards as “High” impact with CVSS impact sub score 10 and “Low” on complexity, which means it takes little skill to exploit this particular vulnerability. This flaw allows attackers to provide specially crafted environment variables containing arbitrary commands that can be executed on vulnerable systems. It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways.
Recommendations: Protecting your organization
Check Point customers
- Check Point has released an IPS protection to detect and block network-based exploits associated with Shellshock. The signature enables organizations to add a layer of protection to their network during the time they need to update their systems with vendor provided patches. We recommend that our customers make the following update immediately in order to secure their networks through SK102673 – Shellshock GNU Bash Remote Code Execution Vulnerability IPS Protection
- Follow the steps below to enable IPS to protect against the GNU Bash Remote Code Execution on Security: GatewaysR77/R76/R75/R71/R70
- In the IPS tab, click Protections and find the GNU Bash Remote Code Execution protection using the Search tool and Edit the protection’s settings.
- Install policy on all modules.
- SmartView Tracker will log the following entries:
- Attack Name: Web Server Enforcement Violation
- Attack Information: GNU Bash Remote Code Execution
- SmartView Tracker will log the following entries:
- Follow the steps below to enable IPS to protect against the GNU Bash Remote Code Execution on Security: GatewaysR77/R76/R75/R71/R70
- Customers who have enabled their Threat Prevention options such as the Anti-Bot and Antivirus Blades on their Check Point gateways automatically receive updated detections for Shellshock through ThreatCloud. This includes IPS signatures that prevent the vulnerability, command and control communications and MD5’s of hostile binaries. Check Point recommends that customers enable Prevent mode in their gateway Threat Prevention policies.
- Regardless of the current vulnerability and as a general best practice, Check Point recommends that customers only allow access to their system admin portals (Admin WebUI) via secure networks. In such scenarios, Check Point systems are not vulnerable to the announced exploit.
Most Check Point portals are not vulnerable to the Shellshock exploit. Specifically Mobile Access, IDA portal, and UserCheck portal are not vulnerable while GAiA and SecurePlatform Admin WebUI may be susceptible to environment changes caused by this exploit. At the time of writing, Check Point is not aware of any exploits on its solutions.
- Check Point recommends all its customers, especially those who need to expose their system administrative WebUI to an external unsecured network to follow SK102673 which includes hot fixes for the different releases.
All customers
- Patches have been released to fix this vulnerability by major Linux vendors for affected versions:
Testing for the Shellshock vulnerability
- Method 1: Via Command Line
To determine if your Linux or Unix system is vulnerable, from a command line, type:
env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
If the system is vulnerable, the output will be:
vulnerable
this is a test
An unaffected (or patched) system will output:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test
- Method 2: Via an online tool
An online tool to test the vulnerability is available at:
- http://shellshocktest.com/ [bs_icon name=”glyphicon glyphicon-new-window”]
- http://shellshock.brandonpotter.com/ [bs_icon name=”glyphicon glyphicon-new-window”]
Related links:
- https://www.us-cert.gov/ncas/alerts/TA14-268A [bs_icon name=”glyphicon glyphicon-new-window”]
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 [bs_icon name=”glyphicon glyphicon-new-window”]
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 [bs_icon name=”glyphicon glyphicon-new-window”]
- http://arstechnica.com/security/2014/09/concern-over-bash-vulnerability-grows-as-exploit-reported [bs_icon name=”glyphicon glyphicon-new-window”]
- http://www.cnet.com/news/bigger-than-heartbleed-bash-bug-could-leave-it-systems-shel [bs_icon name=”glyphicon glyphicon-new-window”]
- http://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x [bs_icon name=”glyphicon glyphicon-new-window”]