GNU Bash Shellshock command injection CVE-2014-6271

What is it about?

The GNU Bash Shellshock command injection vulnerability EN CVE-2014-6271: 

  • A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system.
  • GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation.
  • There’s a very simple test: just running this command within your shell:
    env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
  • You get “busted” echo’d back out and you’ve successfully exploited the bug.


How to test for the vulnerability


Be sensitive:

  • Be careful. This vulnerability is a wonderful opportunity for hackers to gain more information.
  • Don’t trust any password resetting eMails etc.
  • Be cautious

Since we have been become aware of the vulnerability we have been on high alert, we also examined all of our systems to evaluate the impact on our internal systems.

Our internal vulnerable systems will be updated today, 26.09.2014, during the afternoon.

What can you do?

  • Review the vendor patches and the NIST Vulnerability Summary for CVE-2014-7169, to mitigate damage caused by the exploit.
  • Patches have been released to fix this vulnerability by major Linux vendors for affected versions. Solutions for CVE-2014-6271 do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-7169.
  • Update the Intrusion detection signatures