Shellshock – Initial advisory

The “bash” Vulnerability

This special newsletter is to update you about the recently disclosed “Shellshock” vulnerability and how to respond to this vulnerability to protect your information assets.

What is Shellshock and how it will impact you?

GNU Bourne Again Shell (Bash), through 4.3 bash43-025, is a command-line utility on multiple Linux and Unix operating systems has inherent weakness that could allow a remote attacker to exploit servers. Bash shell is used in Unix systems allows code execution via environment variables. Attacker has to be able to trick the user into opening bash after setting specifically crafted variables.

The vulnerability can be exploited through the vectors such as CGI, SSH or DHCP. Servers in the internet with CGI scripts are exploited by converting the HTTP headers into environment variables, SSH can be used to escape restricted ssh shells and the DHCP can be exploited by DHCP clients by executing malicious code. These exploits are easy to perform and a number of Proof of Concept code is floating in the internet. The attacker will be able to execute any shell command.

How to Detect & Protect your Systems and Data?

Vulnerability scanners have already included the Shellshock patterns and a scan would reveal if the servers are vulnerable. Alternatively, you could run the following strings while logged into the system

env x='() { :;}; echo vulnerable’ sh -c “echo this is a test”

env -i X='() { (a)=>\’ bash -c ‘echo date’; cat echo

Contact your vendors to get the fix, almost all vendors have a fix available by now. Alternatively, check with IPS or WAF provider for patches. ValueMentor SOC team can help you assess for the Shellshock vulnerability.



Leave a Reply

%d bloggers like this: