Shellshock: bash specially-crafted environment variables can be used to inject shell commands
This issue affects all products which use the Bash shell and parse values of environment variables.
Ensure that any machine running a vulnerable version of Bash is updated.
Diagnostics
To test if your version of Bash is vulnerable to this issue, run the following command:
$ env x='() { :;}; echo vulnerable' bash -c "echo Shellshock Test"
If the output of the above command looks as follows:
vulnerable Shellshock Test
you are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function.
If you run the above example with the patched version of Bash, you should get an output like this:
$ env x='() { :;}; echo vulnerable' bash -c "echo Shellshock Test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' Shellshock Test
The below list gives some examples of how this issue affects certain services and why the level of complexity makes it very difficult to specify whether or not a service is affected by this issue. The best course of action is to upgrade Bash to a fixed version.
Affected Services
httpd | CGI scripts are likely affected by this issue: when a CGI script is run by the web server, it uses environment variables to pass data to the script. These environment variables can be controlled by the attacker. If the CGI script calls Bash, the script could execute arbitrary code as the httpd user. mod_php, mod_perl, and mod_python do not use environment variables. |
Secure Shell (SSH) | It is not uncommon to restrict remote commands that a user can run via SSH, such as rsync or git. In these instances, this issue can be used to execute any command, not just the restricted command. |
dhclient | The Dynamic Host Configuration Protocol Client (dhclient) is used to automatically obtain network configuration information via DHCP. This client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the client machine. |
CUPS | It is believed that CUPS is affected by this issue. Various user supplied values are stored in environment variables when cups filters are executed. |
sudo | Commands run via sudo are not affected by this issue. Sudo specifically looks for environment variables that are also functions. It could still be possible for the running command to set an environment variable that could cause a Bash child process to execute arbitrary code. |
Postfix |
The Postfix server will replace various characters with a ?. While the Postfix server does call Bash in a variety of ways, we do not believe an arbitrary environment variable can be set by the server. It is however possible that a filter could set environment variables. |
RedShield Cloud
RedShield Cloud customers are protected from Shellshock.
Comments