Nerd blog.

24 Sep 2014

CVE-2014-6271 - ShellShock

Today various sources announced CVE-2014-6271: “bash: specially-crafted environment variables can be used to inject shell commands”. This is a serious risk on many Unix-like systems, as bash is a very popular shell, and included by default on many systems. It is used by both interactive users, as well as many wrapper scripts used in daily system operations. This bug is being referred to as “ShellShock” by many sources now, initially it was being referred to by some as “BashBleed”.

The description of this bug from CVE-2014-6271

A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.

Luckily for me, patching my own systems as well as verifying that they were patched was easily accomplished though Salt! Numerous tweets today had all that was required!

The first, to patch systems:

And a second to verify that systems were patched:

At the moment only my Raspbian system has a bash which is vulnerable to this bug. I will update this when I notice its been patched.

Update: It seems that the bugs haven’t been completely patched, yet. I assume there may be several rounds of patches for this.

Update: I have been continuing to run salt -G os:debian pkg.install bash refresh=True as each of the new CVE announcements happen. There has been 6 so far.

  • CVE-2014-6271 - original RCE found by Stephane. Fixed by bash43-025 and corresponding Sep 24 entries for other versions.
  • CVE-2014-7169 - file creation / token consumption bug found by Tavis. Fixed by bash43-026 & co (Sep 26).
  • CVE-2014-7186 - a probably no-sec-risk 10+ here-doc crash found by Florian and Todd. Fixed by bash43-028 & co (Oct 1).
  • CVE-2014-7187 - a non-crashing, probably no-sec-risk off-by-one found by Florian. Fixed by bash43-028 & co (Oct 1).
  • CVE-2014-6277 - uninitialized memory issue, almost certainly RCE found by Michal Zalewski. No specific patch yet.
  • CVE-2014-6278 - command injection RCE found by Michal Zalewski. No specific patch yet.

Some other blogs and external information about this:

Theodore Baschak - Theo is a network engineer with experience operating core internet technologies like HTTP, HTTPS and DNS. He has extensive experience running service provider networks with OSPF, MPLS, and BGP.