CIS CYBER SECURITY ADVISORIES
MS-ISAC CYBER SECURITY ADVISORY NUMBER:
Critical Bourne Again SHell (BASH) Vulnerability Allows for Remote Code Execution
A recent vulnerability has been discovered affecting the Bourne Again SHell (BASH). BASH is the default command-line shell processor that is often run in a text window on Linux and UNIX systems. BASH allows users to type commands that cause actions. In addition, BASH has the ability to read commands from a scripted file. Based on the wide use of Linux and UNIX systems, it can be assumed that most distributions running Linux and UNIX, as well Mac OS X, are likely vulnerable.
Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Exploit code is currently available and the vulnerability is actively being exploited.
- Mac OS X
- Linux distributions
- UNIX distributions
- GNU BASH versions 1.14 through 4.3
- Large and medium government entities:High
- Small government entities:High
- Large and medium business entities:High
- Small business entities:High
Home users: High
This vulnerability allows unauthorized remote parties to possibly bypass environment restrictions on a network and execute remote code through the execution of various shell commands on vulnerable systems. In order for the vulnerability to be exploited, specially crafted environment variables would need to be created prior to calling the BASH shell.
The following possible attack vectors have been identified by Redhat security:
- The ForceCommand in SSHD configurations, which provides limited command execution capabilities for remote users.
- Apache servers using mod_cgi or mod_cgid are affected if CGI scripts are either written in BASH, or spawn subshells. Such subshells are implicitly used by system/popen in C, by os.system/os.popen in Python, system/exec in PHP (when run in CGI mode), and open/system in Perl if a shell is used (which depends on the command string).
- DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine.
- Various daemons and SUID/privileged programs may execute shell scripts with environment variable values set / influenced by the user, which would allow for arbitrary commands to be run.
- Any other application, which is hooked onto a shell or runs a shell script as using BASH as the interpreter.
The following article contains an example of proof of concept code that can be used to check if your systems are vulnerable.
We recommend the following actions be taken:
- Update vulnerable products immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.