Critical vulnerability in Bash

Number: AL14-032
Date: 25 September 2014

Purpose

The purpose of this Alert is to bring attention to a recently identified critical vulnerability in Bash.

Assessment

CCIRC is aware of a highly critical vulnerability in Bash, a standard program pre-installed on several Unix-based operating systems and Unix-like environments including, but not limited to, Linux, Mac OS and Cygwin. All versions of Bash prior to September 24, 2014 are considered vulnerable and there are open source reporting that there is proof of concept code available and active exploitation in the wild. Exploitation of this vulnerability could allow remote execution of arbitrary code without authentication and with the privileges of the process leveraging bash.

Internet facing services that leverage Bash are considered at high risk of exploitation, such as but not limited to, Apache cgi-bin and OpenSSH. Patches have been released for most distributions, but reports indicate that the issue may not completely be resolved. As a result, CVE-2014-7169 has been established. This vulnerability is also being labeled Shellshock, Bash-bug and Bash-bleed.

CVE References:
CVE-2014-6271 - CVSS Score: 10 High
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
CVE-2014-7169 - CVSS Score: 10 High
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

Suggested Action

CCIRC recommends that system administrators identify their affected assets and potential interdependencies with their organization's critical services, and follow their patch management process accordingly.

An unaffected (or patched) system will output:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

If patching is not an option, consider the following alternate workarounds:

Patch availability:

Debian:
http://www.debian.org/security/2014/dsa-3032
Ubuntu:
http://www.ubuntu.com/usn/usn-2362-1
RedHat:
https://access.redhat.com/articles/1200223
CentOS (versions 5 through 7)
http://lists.centos.org/pipermail/centos/2014-September/146099.html

References:

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: