Indusface Security Advisory : Bash Vulnerability – Very Critical
Severity: The vulnerability has been rated as 10 for severity, meaning it is critical, and low for complexity, meaning it’s easy to be exploited by hackers.
Risk Assessment: Bash vulnerability is a critical threat to the web, and can be used by the attacker to execute remote commands in many common configurations. The severity of this is heightened by the fact that bash is the default configuration on most of the Linux servers, UNIX distributions and Mac OS. An attacker can execute command in affected servers, and even if these servers are not running with root vectors, they can in turn provide the attacker an important vector for further exploitation of the system. Bash is used by internet, email, and administration servers.
While bash is not directly used by remote users, it is used internally by popular software packages such as web, mail, and administration servers. In the case of a web server, a specially formatted web request, when passed by the web server to the bash application, can cause the bash software to run commands on the server for the attacker. This is an extremely serious issue and should be dealt with urgency.
Vulnerability: A critical vulnerability has been discovered in the Bourne again shell. It is present in Linux, UNIX and Mac OS. An environment variable with an arbitrary name can be used as a carrier for a malicious function definition containing trailing commands makes this vulnerability particularly severe. Bash vulnerability is exploitable over network, if it is configured as system shell. It is expected that this exploit can be found lurking around in a lot of softwares. Routers, SCADA/ICS devices and medical equipments are likely to be exposed.
Risk Mitigation: This vulnerability is affecting version 1.14 through 4.3 of GNU Bash. Following are the patches that have been issued major Linux distribution vendors for affected versions:
• Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
• CentOS (versions 5 through 7)
• Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
Fix: All users of bash software package should upgrade at the earliest. Vendors have come up with patches which should be deployed at the earliest.
Indusface’s core rule set has an exhaustive protection for “command injection” category of vulnerabilities, those core rules already protected users against most of the Bash centric vulnerabilities. We have added few more signatures for various customer environments to ensure highest level of customized security for existing IndusGuard WAF customers.
Have You Read Our Blog How Not to Get BASH-ed