Shell Attack On Your Server: Bash Bug ‘CVE-2014-7169′ and ‘CVE-2014-6271′

A serious vulnerability has been found in the Bash command shell, which is commonly used by most Linux distributions. This vulnerability – designated as CVE-2014-7169 – allows an attacker to run commands on an affected system. In short, this allows for remote code execution on servers that run these Linux distributions

What’s the bug (vulnerability)?

The most popular shell on *nix environments has a serious flaw which can allow an attacker to run any arbitrary command over the network where it’s used behind the curtains. The most common being web servers using CGI environment.

Bash allows exporting shell functions to other bash instances. It is done by creating an environment variable with the function definition. For example,

         env ENV_VAR_FN=’() { <your function> };’

The ENV_VAR_FN will be the function that is exported to any subsequent bash instances. This seems like a useful feature, right? But there is a bug in the implementation of bash that it continues to read beyond the function definition and executes commands that follow the definition. In an ideal scenario, it should have stopped reading beyond the definition and ignored whatever came after it, but it doesn’t.

          env ENV_VAR_FN=’() { <your function> }; <attacker code here>’

How can it affect services over the network?

Given the fact that bash environment is used in several configurations including CGI, ssh, rsh, rlogin etc., all those services can be affected by this bug. Any web servers which consume user input and absorb them into bash environment are also vulnerable. Here’s how a bad request would look like in a CGI environment:

GET /<server path> HTTP/1.1

User-agent: () { :;}; echo something>/var/www/html/new_file

And this will create a new file new_file for the attacker.

Web applications are the biggest exposure layer for this vulnerability. However, this can manifest itself via several other services as noted above.

What’s the damage that can be done?

The above just demonstrates creating a file but an attacker can literally run any command that’s conceivable on a bash shell. This could mean modifying the contents of the web server itself, change the website code, deface the website, steal user data from the databases, change permissions on the website, installing backdoors etc.

Remember that it will be run in the context of user running the web server. This is generally httpd user. Note that there is no elevation of privilege solely with this vulnerability, but it can be used in conjunction with another local vulnerability to escalate privileges to root user. It is not uncommon for attackers to cascade different exploits to gain entry into a system/network.

Shell scripting is widely used in Linux, which means there are multiple ways for this vulnerability to be triggered. Bash is used by most Unix and Linux systems, as well as OS X.  Red Hat, one of the biggest companies that provides Linux, said in a bulletin to its customers that “Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.”

In addition, because Linux (and correspondingly, Bash) is used on many embedded Internet of Things/Internet of Everything (IoT/IoE) devices, the risk of devices with vulnerabilities and difficult-to-impossible to patch can’t be ruled out either. Lastly, there are news stating that Bitcoin/Bitcoin minining may also be affected by this security issue.

What are the affected bash versions?

All versions of Bash up to and including version 4.3 are vulnerable.  To be sure, check with your *nix vendor’s website for specific patched versions. Redhat customers can refer here.

What should I do now?

The first thing is to upgrade the version of Bash to its latest version. Given the level of compromise, ensure the integrity of your web server is not compromised by replacing your ssh keys, since they could have been stolen. It is also best to change credentials and check your database logs to see any mass scraping queries are run.

How do I know if I have been attacked using this vulnerability?

If you look at your web server logs closely, in a lot cases, you will be able to identify traces of this attack. Look for () { in the access logs. Also, certain errors will get logged in error_log. Note, however that your will not have traces of this attack in certain scenarios.

Trend Micro Deep Security customers can use Integrity Monitoring to check logs and ensure that the integrity of web server elements is not affected.

What protection does Trend Micro has in place for this vulnerability?

Trend Micro Deep Security customers must apply the update DSRU14-028 and assign the following rule:

  • 1006256 – GNU Bash Remote Code Execution Vulnerability

We will keep you posted for the latest update on this vulnerability.  Users can also read more on this in our Simply Security blog.

 

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Shell Attack On Your Server: Bash Bug ‘CVE-2014-7169′ and ‘CVE-2014-6271′

Read more: Shell Attack On Your Server: Bash Bug ‘CVE-2014-7169′ and ‘CVE-2014-6271′

Story added 25. September 2014, content source with full text you can find at link above.