Clever Eng Blog — Always a Student

Clever Shellshock Recommendations

By wpengine on

CVE-2014-6271 and CVE-2014-7169, also known as “Shellshock”, are
high impact vulnerabilities
affecting the Born Again Shell (BASH). The vulnerability allows an attacker to trick Bash into running
arbitrary commands which could result in unauthorized disclosure of information, unauthorized
modification and disruption of service. Because this is such a big threat,
and because at Clever we take security seriously, we’ve decided to assemble a guide to mitigation.

Updating Bash

Two patches have been released in the past two days to address the initial revelation of the bug in
addition to a subsequently discovered (and relatively minor) weakness in the first patch. See
below for vendor specific information regarding patching.

*nix Distributions

The following distributions have added fixes to their respective repositories. Updating simply requires utilizing the built in system update tools.

Mac OSX

If you have OS X Mavericks, you can download the fix here: OS X bash Update 1.0

If you have a different version of the operating system, the recommended course of action is to wait for Apple’s offical
response, unless you know that your system is exposing ports publicly on the
internet. See these instructions
for a way that power users can close the hole immediately.

Windows

While most Windows users may mistakenly believe they are in the clear, they should be aware of a few special cases:

  1. MSYS includes bash
  2. cygwin includes bash
  3. other applications such as msysgit may have installed these packages behind the scenes

Also see section entitled “All our things are on the Microsoft stack, are we at risk?”
in Troy Hunt’s excellent writeup.

Discovering Attack Attempts

Because there undoubtedly was a period of time between initial reports and eventual fixes of the bug,
its important to at least attempt to discover any attacks or intrusions into systems. The popular NIDS
tool “Snort” already has a set of discovery rules in
v2.9.

We leave it to advanced readers to parse logs to discover attack attempts on their own.

Sources and links

wpengine
This is the "wpengine" admin user that our staff uses to gain access to your admin area to provide support and troubleshooting. It can only be accessed by a button in our secure log that auto generates a password and dumps that password after the staff member has logged in. We have taken extreme measures to ensure that our own user is not going to be misused to harm any of our clients sites.