48 hours since the latest in the series of BIG BUGS 2014 has made the news, and the Internet community is still struggling to assess the damage. After the initial moments of disbelief, researchers started coming to terms with the fact that Bash had a remote code execution bug and security experts started to assess the significance of this vulnerability. From the start, things looked nasty to say the least.
Officially known as CVE-2014-6271, this vulnerability, cordially termed ShellShock, has been assigned the highest CVSS score of 10, a score that the notorious HeartBleed did not achieve. The high score is more than warranted. The vulnerability is very easy to exploit allowing pretty much every script kiddie to take control of a vulnerable server and execute arbitrary code.
An update to Bash was released on the day that news of the vulnerability became public. However it seems that the update was done in haste, since the fix does not address all the exploit vectors, resulting in a new bug – CVE-2014-7169. At the time of writing, there is no official patch which results in a definite fix, other than replacing Bash, which is not viable in most situations.
While the open source community is struggling to come up with a fix for the vulnerability, the blackhat community have been busy identifying ways to exploit ShellShock. The wopbot botnet has been discovered using this vulnerability to build an army of servers which can be controlled by the attackers. These were in in turn used to attack Akamai and US DOD networks. Another botnet has been identified which tries to retrieve system information from the compromised machine.
The ShellShock proof-of-concept written by, which tests for the vulnerability by innocuously pinging a server of choice, has been blatantly re-used by the attackers to install malware on the server giving a backdoor to the vulnerable server.
While some attacks were immediately evident from the outset, such as the usage of CGI on Apache, it was also immediately clear that this vulnerability will affect other services too. TrusedSec have released a POC which allows a DHCP server to be configured in a way to exploit the vulnerability on clients requesting a dynamic IP address. Since routers can also potentially be compromised using the same vulnerability, it is only a matter of time before we see malware infecting routers, which in turn are used to deliver malware to vulnerable clients together with the dynamic IP address.
As described in CVE-2014-6271, Shellshock can also be used to execute arbitrary code in authenticated sessions. Apart from leading to escalation of privileges, this can also lead to complete server takeover. Git and Subversion are affected by this, since they are usually configured to use SSH.
Other services which rely on Bash can also be affected. We just have to wait and see as more researchers uncover ways to exploit ShellShock. And it is not only servers that are affected. Many devices forming part of the Internet of Things (IoT) can be vulnerable too. And since most of them rely on Unix implementations, they will also be using a vulnerable version of Bash.
Acunetix has already been updated to identify web servers vulnerable to ShellShock. The next time you start Acunetix WVS, you will be prompted to install an update, which includes detection of ShellShock. Acunetix OVS has also been updated to detect ShellShock on your perimeter servers.