How to protect yourself against Shellshock Bash vulnerability

Shellshock vulnerability – Bash

Bash is one of the most used shells on Unix based systems. The newly discovered “shellshock” vulnerability affects millions of systems.

The weakness abuses an internal check when Bash gets a variable declaration. By defining this variable and putting more “stuff” (commands) in it, Bash will actually execute those commands as well. Unfortunately this results in several possible ways to exploit it by attackers.

Websites

One way this vulnerability scan be exploited, is by embedding it in HTTP requests. The extra payload might be the value for a cookie. Some CGI scripts, which reference to Bash as their shell, then will be tricked in executing commands when parsing the value of the cookie. Needless to say, but from there anything is possible, from revealing the contents of files, to implementing a backdoor.

If you are hosting websites or use common products (like cPanel), we strongly suggest to look at their forums for the real impact. There is a lot of hype going on on what is vulnerable, but the best source is still your vendor.

Early Christmas

Apparently this issue was undiscovered for a long time. Only recently the issue was revealed and become quickly a very hot subject. While it is common that issues are detected soon by attackers after a patch has been released, it is less common that the issue is already exploited this quickly. Looks like it is an early Christmas for attackers..

Protecting against Shellshock

To protect yourself against Shellshock, we advice taking the following 3 steps:

  1. Update your software repository and install security updates
  2. Check your log files of the last days for traces
  3. Audit your system with Lynis

Lynis and Shellshock

Most security vendors cover this vulnerability as big news and provide additional detection methods in their products. While that is great, companies and individuals should apply security patches already on a regular basis. The addition to a product should be better used as an additional way to check you finished your patching properly.

Perform manual update

Debian/Ubuntu based systems:

apt-get install --only-upgrade bash

Red Hat based systems:

yum update bash

Automatic security updates

For example Debian based systems can use the “unattended-upgrades” package to install security related updates automatically. Most other Linux versions have a similar way to split normal and security updates. This enables system administrators to automatically install security patches.

Regular audits

Lynis (Linux/Unix auditing tool) screenshot

Screenshot of a Unix security audit performed with Lynis.

Lynis has already built-in tests to detect vulnerable packages. By running Lynis on a regular basis, it becomes clear that automatic security updates are a good way to stay current.

Auditing is another detection capability to make sure that these controls are working correctly.

The community edition of Lynis has the related tests to check if it can find a “package audit tool”, which then is used to find possible vulnerable packages. If you have any, they will be displayed at the end (in the report section).

Am I vulnerable?

If you want to test if you are still vulnerable after patching your system, use this code below:

env X='() { (a)=>\' bash -c "echo echo testing" 2>/dev/null; [[ "$(cat echo 2> /dev/null)" == "testing" ]] && echo "vulnerable" 2> /dev/null

This code will try to set a variable X. It abuses the weakness by creating a file (echo). The script then tries to show it (cat echo). If that succeeds, it will display “vulnerable” on your screen. In that case your system is not properly patched yet.

Notes:

  • To avoid warnings on screen, our example redirects errors to /dev/null
  • If you found your system to be vulnerable: Update your Bash package and remove the file “echo” from your current directory. Or else it will keep saying your system is vulnerable, even after patching.
  • If you get just “echo testing” on screen, your system is protected.

Last week another simple snippet showed up to test:

var='() { echo still not fully patched; }' bash -c var

If it shows the text, there is still work to do..

More information

Related CVE’s:

Lynis (auditing tool): Download

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)


Leave a Reply

Your email address will not be published. Required fields are marked *