breaking

Remote exploit vulnerability in bash CVE-2014-6271

More like this
danger

CSO |

A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271. This affects Debian as well as other Linux distributions. If you have have Microsoft Services for UNIX you will need to patch ASAP.

Bash supports exporting shell variables as well as shell functions to other bash instances. This is accomplished through the process environment to a child process. 

From Debian:

Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment.  The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition.  For example, an environment variable setting of

 VAR=() { ignored; }; /bin/id

will execute /bin/id when the environment is imported into the bash process.  (The process is in a slightly undefined state at this point. The PATH variable may not have been set up yet, and bash could crash after executing /bin/id, but the damage has already happened at this point.)

The fact that an environment variable with an arbitrary name can be used as a carrier for a malicious function definition containing trailing commands makes this vulnerability particularly severe; it enables network-based exploitation.


The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Here is a sample 

If you have a username in your authorization header this could also be an attack vector.

Another attack surface is OpenSSH through the use of AcceptEnv variables. As well through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation. This is fire bad.

The race is on. Will you be able to patch before Metasploit has a working exploit? 

Ready…GO!

Support Information:

  1. Novel/SuSE
  2. Debian
  3. Ubuntu
  4. Mint
  5. Redhat/Fedora
  6. Mageia
  7. CentOS

Looking for a specific distribution? Check out DistroWatch.

 
(Image used under CC from spcbrass)

Dave LewisGlobal Security Advocate

Dave has over 15 years industry experience. He has extensive experience in IT operations and management. Currently, Dave is a Senior Security Advocate for Akamai Technologies .

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies
Most Popular
cell tower
Rogue cell towers discovered in Washington, D.C.

After initially discovering more than a dozen rogue cell towers in the U.S., ESD America and

ebay sign
Is eBay trading too much security for seller happiness?

Criminals are exploiting an eBay security weakness that could result in shoppers getting redirected to

jobs
Why CSO pay is too low in San Francisco, New York

Among six major U.S. cities, CSOs are paid the most in San Francisco and New York, but factoring in the

BrandPost
Learn more
Popular Resources
Featured Stories
identity concept 164551610
New Brunswick conquers identity management with virtual directory

What started as a single provincial department's effort to roll out a virtual directory now helps

healthcare.gov
HealthCare.gov still struggling with security

The Inspector General (IG) of the Health and Human Services Department has released a report detailing

Apple iOS 8 on the iPhone
iPhone 6 fingerprint scanner found accurate enough for Apple Pay

Apple's iPhone 6 fingerprint scanner has a level of accuracy that makes it a solid authentication tool

credit card device
Three critical changes to PCI DSS 3.0 that every merchant should know

Version 3.0 of the PCI Data Security Standard (PCI DSS) goes into effect by the first of next year, and