We will be updating this page with new information as it becomes available, so please check back regularly.
A new vulnerability has been found that potentially affects most versions of the Linux and Unix operating systems, in addition to Mac OS X (which is based around Unix). Known as the “Bash Bug” or “ShellShock,” the GNU Bash Remote Code Execution Vulnerability
(CVE-2014-6271) could allow an attacker to gain control over a targeted computer if exploited successfully.
The vulnerability affects Bash, a common component known as a shell that appears in many versions of Linux and Unix. Bash acts as a command language interpreter. In other words, it allows the user to type commands into a simple text-based window, which the operating system will then run.
Bash can also be used to run commands passed to it by applications and it is this feature that the vulnerability affects. One type of command that can be sent to Bash allows environment variables to be set. Environment variables are dynamic, named values that affect the way processes are run on a computer. The vulnerability lies in the fact that an attacker can tack-on malicious code to the environment variable, which will run once the variable is received.
Symantec regards this vulnerability as critical, since Bash is widely used in Linux and Unix operating systems running on Internet-connected computers, such as Web servers. Although specific conditions need to be in place for the bug to be exploited, successful exploitation could enable remote code execution. This could not only allow an attacker to steal data from a compromised computer, but enable the attacker to gain control over the computer and potentially provide them with access to other computers on the affected network.
Scope of Vulnerability
- The vulnerability potentially affects most versions of the Linux and Unix operating systems, in addition to Mac OS X (which is based around Unix).
- Bash is a common component known as a shell that appears in many versions of Linux and Unix. Bash acts as a command language interpreter.
- Here is a summary of the exploits that are known, to date:
- 1. Simple "vulnerability checks" that used custom User-Agents
- 2. Bots using the shellshock vulnerability
- 3. Vulnerability checks using multiple headers
- 4. Using Multiple headers to install perl reverse shell ( example: shell connects to 22.214.171.124 port 1992)
- 5. Using User-Agent to report system parameters back
- 6. User-Agent used to install perl box
To date, these are the CVEs for Shellshock: (Source: http://www.zdnet.com/the-shellshock-faq-heres-what-you-need-to-know-7000034219/
- CVE-2014-6271: This is the original "Shellshock" Bash bug. When most people refer to the Bash bug or "Shellshock", they are most likely talking about this CVE
- CVE-2014-7169: This is the CVE assigned to the incomplete patch for the original bug. The original patch was found to be incomplete shortly after the vulnerability was publicly disclosed. A variation on the original malicious syntax may allow an attacker to perform unauthorized actions including writing to arbitrary files.
- CVE-2014-7186 & CVE-2014-7187: These two CVEs are for bugs discovered in relation to the original Bash bug. These two bugs are triggered by syntax that is very similar to the original Bash bug, but instead of command injection, they allow for out of bounds memory access. There is currently no proof that these bugs have remote vectors and they have not been seen in the wild.
- CVE-2014-6277 & CVE-2014-6278: Security researchers discovered two additional bugs. These two bugs are supposed to have the potential for arbitrary command injection, similar to the original Bash bug. However details have not been made public yet, in order to allow appropriate patches to be created.
What Symantec products are affected by this vulnerability?
Symantec is aware of and taking measures against the Bash vulnerability, dubbed “Shellshock,” which allows attackers to take complete control of a targeted Linux- or Unix-based system. Internal teams are continuing to evaluate the impact on Symantec products and servers, and addressing any issues accordingly.
Here is a list of products that are either confirmed to be impacted or that may be impacted:
- NetBackup Appliances – versions prior to 126.96.36.199 may be impacted. Symantec Critical Systems Protection software is included and enabled by default in v188.8.131.52, which minimizes the risk from ShellShock. Information on how to update and when patches will be made available can be found in this TechNote.
- Deduplication Appliances – older 50XX-series systems are affected but a patch will be made available. See this TechNote for details.
- Symantec Security Information Manager (SSIM) - One of the preconditions for exploiting this vulnerability is to be able to modify the environment variables to introduce code in the environment variables. SSIM deployments are hardened and console access is protected, so environmental variables cannot be modified by non-privileged users. The exposure scope of this vulnerability is only to privileged users. Information on how to update and when hot fixes will be available is in this TechNote. SSIM is an end of sale product and is currently in a limited support phase before reaching its end of support life in 2017.
How to Minimize Your Risk
Advice for Businesses
We recommend that all users of the Linux- or Unix-based systems implement the available patches immediately. To date, the following vendors have published information, including patch details:
*Red Hat has updated its advisory for this vulnerability, noting that its initial patch is incomplete.
Leverage Symantec Data Center Security: Server Advanced
to protect and harden your server infrastructure. DCS: Server Advanced can be used to protect systems from the impacts of this vulnerability by:
- Enabling the IPS functionality
- Enabling Full Application Control and Sandboxing
Advice for Consumers
Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available.