On September 25, Alan Paller, the Director of Research for the SANS Institute, sent out a FLASH report about the vulnerabilities involving Bash. This report has some very good information for security practitioners that is worth repeating here.
The vulnerability, dubbed Shellshock, affects the Bash command processor which is used in most Linux distributions, in Apple's Mac OS X, in the Apache web server software, as well as other systems. According to SANS, Shellshock merits a FLASH report because it is so widespread and so easy to exploit on systems like your firewalls and web servers and other similarly important servers running LINUX.
The original vulnerability was discovered by the UNIX/Linux researcher Stephane Schazelas and has been given the name "CVE-2014-6271: remote code execution through bash" by SecList. However, there is now a second related vulnerability discovered by Travis Ormandy and it has been assigned the tracking number CVE-2014-7169. SANS reports there is a patch available for the original problem (CVE-2014-6271) but as of September 25 there was no patch available yet for the second method of code injection (CVE-2014-7169).
Johannes Ullrich, Director of SANS Internet Storm Center, recorded a brief and useful webcast to provide authoritative answers to the five questions that people are asking the Storm Center most often regarding Shellshock. Ullrich's 13 minute webcast covers:
1. How important is Shellshock (which specific types of systems can actually be exploited now)?
2. What is the primary way that this vulnerability is being exploited?
3. What went wrong? Where did the vulnerability come from?
4. How can you find out which of your systems are vulnerable, and how easy it is for attackers to find the vulnerable systems on your network?
5. How can you protect yourself?
You can see the slides and listen to his briefing at:
Ullrich did provide a bit of good news in his webcast. Although the number of vulnerable systems is huge because Bash is so old and found in so many systems, the actual number of exploitable systems is small. Nevertheless, you should check your systems for vulnerability and apply the patch(es) as soon as possible.
The SANS Internet Storm Center has also posted a FAQ which is being updated as new data is found:
- About Corero
- Investor Relations
- News Room
- Executive Management Team
- Corero Offices
- Contact Us