November 2, 2014 by Hansie Boshoff
Bash is, in many *nix systems, the default shell for interacting with the system. This could be via tty, SSH or some other terminal emulator. It is present, even if it is not specifically used.
Unless you have been hiding on the moon for the last couple of days you are now most likely aware that there has been a highly critical vulnerability discovered in Bash.
This vulnerability is due to Bash’s handling of environmental variables. Consequently when assigning functions to a variable, trailing code in a function definition will be executed and this could consequently allow a command injection attack to be conducted.
Am I Vulnerable?
The long and the short answer is most likely yes, if you are running a *nix based operating system at this present time, you are highly likely to have a vulnerable version of Bash installed (versions up to and including 4.3 are known to be vulnerable). There is as of yet no global / complete public fix available if you make use of a *nix based OS. This includes Desktop, Server and Embedded OS versions that have Bash available.
A quick check to see if there is a vulnerable version of Bash on a box is to open a terminal and run the following:
env x='() { :;}; echo vulnerable' bash -c 'echo hello
If you are vulnerable, you should see:
vulnerable
hello
If you are not vulnerable you should see a bash warning, error and lastly just ‘hello’. The most generic option to check your version of Bash is
Echo $BASH_VERSION
This will return the version of bash currently on the machine. An empty response will be returned if you are not currently running bash.
However, from a remote attack scenario although you may be running a vulnerable version of Bash your exposure to someone exploiting your system is dependent on what services you have publicly facing that interact with Bash.
Attackers are currently heavily targeting the HTTP service and those supporting CGI scripting that invokes Bash in any way, for example Apache servers running the module mod_cgi or PHP applications running in CGI mode.
However remote compromise is not limited to attacks via HTTP and Bash may also be exploited via other services such as SSH
How do I update?
“…this is the sort of exploit that will be lurking around in all various and sundry sorts of software, both local and remote. It's quite common for embedded devices with web-enabled front-ends to shuttle user input back and forth via bash shells, for example -- routers, SCADA/ICS devices, medical equipment, and all sorts of webified gadgets are likely to be exposed.” Tod Beardsley from Rapid7.
The base recommendation at the moment is to:·
1. Update bash on desktop and server OSs as soon as vendor patches become available
2. Patch systems and appliances as soon as the patches are released by vendors
3. Check with your IPS & WAF provider for a signature or virtual patch to help reduce the exposure of the underlying issue
