The Shellshock bug

What is Shellshock?

Shellshock is the name given to a vulnerabilty in Bash, the default shell (or command interpreter) on Linux, MAC OS X and other related operating systems. It has been discovered that Bash will execute malicious code stored in the system parameters known as environment variables. The vulnerability has been present in Bash for over 20 years.

Why does it matter?

Normally, a Bash vulnerability would only be an issue, and probably not a very urgent one, for Linux system administrators. This is a much bigger problem because server software, such as the Apache web server and OpenSSH secure shell, often make calls to Bash in order to execute commands on the operating system. It’s common for environment variables used in the system call to have been created from user-supplied data. Put those things together and you have a situation where a remote user can execute a command (like “email me the password file”) on your internet-connected server. [For a more detailed technical overview see http://blog.cloudflare.com/inside-shellshock/, or for an even deeper dive http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html.]

What does it effect?

As mentioned above, the biggest target is webserver software running on Linux. But as well as dedicated servers, devices such as routers, IP video cameras, security appliances and NAS storage are often built on Linux and provide a web interface. Any of these could be vulnerable to exploits if they are accessible over the internet.

What can I do to prevent it?

Although it is possible to filter suspicious traffic, the only real fix is to upgrade Bash to a non-vulnerable version. If the affected device is a server, Bash can probably be upgraded individually by a vendor-supplied package. But in the case of a device or appliance, you’ll probably have to wait for the vendor to relase a firmware update. For older devices which are no longer supported, this might not even be a possibility.

How do I even start fixing this?

As with most IT administration tasks, a methodical approach will pay off and break this down into a series of manageable tasks:

Start with an inventory of your servers and appliances – if you don’t already have an inventory, this is a good opportunity to start one.
Identify those devices which are accessible from the internet – web servers, email gateways and webmail portals, the server room video camera, network firewalls and routers. Your firewall might help provide a list by looking at the port mapping or NAT (Network Address Translation) sections.
Check the website of your firewall vendor. If your model is vulnerable, check for availability of a patch and apply it. Also check if they have a threat management component. Does it mitigate against Shellshock? Is it worth subscribing to the component now? If you’re already subscribed, make sure the signatures are up to date.
Do similar checks for your other identified servers and devices. Where patches are available, apply them or make a schedule to do so.
Consider whether servers and devices which are only accessible internally should also be updated.

There are probably still devices which either aren’t going to be patched or where the vendor has no current plans to issue one. What can you do in theses cases?

Is there a workaround? CGI script execution is one of the vulnerable points of Apache servers but many web sites don’t actually require it to be enabled.
Can the device be replaced? If the device is so old that it’s not supported, maybe now is the time to replace it.
Is an internal or external unified threat management (UTM) or intrusion prevention system (IPS) worthwhile? If there are important services you haven’t been able to secure, consider an internal (probably as an add-on component of your firewall) or external (via a service such as Cloudflare) UTM/IPS solution.

Specific vendors

Microsoft

Windows is not vulnerable, so neither is any Microsoft product such as Exchange and Sharepoint. Most third party products running on Windows will also be unaffected, unless they have installed a copy of Bash. Packages that do this include the Cygwin Unix tools for Windows and Git source code control, however both of those examples would be difficult to exploit in practice.

Apple

MAC OS X is vulnerable although unlikely to be offering internet services. A partial patch has been released through the usual channels.

http://support.apple.com/kb/HT6495

VMWare

Many VMWare products and appliances are affected and patches are being released. However vSphere 5.0 itself and later versions are not affected as they exclusively use the ESXi hypervisor which does not contain Bash. If you are still running vSphere 4, you may be using an affected ESX hypervisor – patches are available.

http://www.vmware.com/security/advisories/VMSA-2014-0010.html

Dell Equallogic

Dell Equallogic SAN devices and associated software are not affected.

Dell

Some of the rest of the Dell range is affected. See their remediation page for full details.

http://www.dell.com/learn/us/en/04/campaigns/shellshock-remediation

HP

HP have not currently released any findings.

http://www8.hp.com/us/en/bash-shellshock.html

Android

A stock Android phone is based on Linux but does not run Bash. If you have installed a custom operating system (sometimes referred to as rooting or jailbreaking) you may be vulnerable so check for updates.

Sonicwall

Sonicwall SRA (remote access) and Sonicwall Email Security appliances can be vulnerable and should be updated to the latest firmware version. Other devices are not believed to be affected. Sonicwall’s UTM offering will protect against Shellshock.

http://www.sonicwallonline.co.uk/News/Shellshock-Bug.html

Novell

Novell products such as Groupwise are often run on Suse Linux, as this is owned and distributed by Novell. The Bash shell in Suse Linux Enterprise is vulnerable and Suse have produced patches for current and historical versions which are available to customers with current support contracts.

https://www.novell.com/support/kb/doc.php?id=7015719
https://www.suse.com/support/shellshock/

Cisco

Some Cisco products are affected with others still under investigation. Cisco has released signatures for their IPS products to detect and stop Shellshock.

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

Netgear

Most Netgear network devices are unaffected. Some ReadyNAS versions and a couple of appliances are affected. Patches are either available or in production.

http://kb.netgear.com/app/answers/detail/a_id/25703