Shellshock Vulnerabilities Proliferate, Affect More Protocols

Since the initial discovery of the initial Shellshock vulnerability, more issues have been found in Bash. This was not unexpected. After the initial disclosure of Heartbleed, other vulnerabilities were found in OpenSSL. This pattern is repeating itself with Shellshock and Bash.

Summary of Shellshock

Currently, six CVEs have been assigned that are related to Shellshock. The remotely exploitable attacks are related to a known feature of the Bash shell: it is possible to assign values and functions to environment variables. These bugs are related to function definitions which start with this syntax: () {. For example:

env -i x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If this command is executed in a vulnerable version of Bash, the output will be:

vulnerable this is a test

There are multiple POCs that are publicly available, including Metasploit modules which are already being used to exploit Shellshock in the wild.

Timeline of Deep Security Protection

The original Shellshock vulnerability (CVE-2014-6271) discovered by Stephane Chazelas and added to CVE database on September 24. After the first set of patches was released, Google’s Tavis Ormandy reported a second attack vector; this was designated as CVE-2014-7169 on the same day.

Both of these vulnerabilities can be exploited remotely to execute remote commands without user authentication. Further research identified four other vulnerabilities in Bash (CVE-2014-6277, CVE-2014-6278, CVE-2014-7186, and CVE-2014-7187.)

Depending on how an application invokes the Bash shell, it can open several attack vectors over different protocols. For example, publicly reported attack vectors today include HTTP, SSH, DHCP, FTP, SIP, SMTP and VPNs. As more time passes, we might see more vulnerable protocols as researchers and cybercriminals continue to try and exploit the Shellshock vulnerability.

Below is a timeline showing the dates Deep Security customers were protected and a table summarizing the various vulnerabilities that fall under the Shellshock banner, as well as our available protection.

Figure 1. Timeline of Shellshock CVEs and Deep Security rules

Table 1. Summary of Shellshock CVEs and Deep Security rules

In addition to attacks related to Shellshock, we expect heightened attacks using generic command injection techniques targeting web applications. A Deep Security rule (1005934 – Identified Suspicious Command Injection Attack) helps protect web applications from these threats. It will also help mitigate attacks against CVE-2014-7186 and CVE-2014-7187.

Deep Security customers are protected against several attack surfaces that currently being exploited using Shellshock. These surfaces include, but are not limited to: