Shellshock Bug: When a Perfect 10.0 Score Is Not So Perfect

On September 24th, the world learned about a new flaw--the Shellshock bug--which could overshadow the OpenSSL Heartbleed bug in the annals of security vulnerabilities. While perhaps not as pervasive as Heartbleed, Shellshock is more dangerous because it allows attackers to not only steal information, but to completely take over vulnerable devices.

Based on a weakness in the GNU Bash shell, Shellshock allows remote attackers to execute code through programs such as OpenSSH, mod_cgi, and DHCP clients. These third-party programs rely on Bash for variety of functions like providing a shell to remote users or executing commands. Because of the way that Bash processes environment variables, attackers can inject malicious code before launching the Bash shell. Bash does not correctly parse functions passed in environment variables, allowing attackers to inject trailing code when defining environment variables. Attackers can then execute this arbitrary code.

How prevalent is GNU Bash? It’s everywhere; it’s included as the standard system shell with most Linux and UNIX distributions and with Mac OS X. As a result, the Shellshock Bash bug potentially impacts a slew of devices, from web servers to cloud-based virtual appliances to networking devices.[1] What’s more, the attack is easy to exploit--sometimes without authentication--and it enables attackers to completely take over a system, steal data, or disrupt service.

As a result, NIST’s National Vulnerability Database (NVD) rates the vulnerability, CVE-2014-6271, a shell-shocking 10.0 out of 10.0 in terms of impact and exploitability.

Because Shellshock is so easy to exploit, researchers have observed attackers trying to infect servers with malware, gain remote access, or steal files—sometimes successfully—within mere hours of the bug’s disclosure. Through automated scans and attack tools, cybercriminals can quickly identify and exploit vulnerable systems.

Impact to A10 Networks Products: The Good, the Bad, and the Already Patched
The A10 Thunder, AX, ID, and EX Series products include the GNU Bash shell and are therefore vulnerable to the Shellshock Bash bug. If an attacker gains access to an A10 product’s management interface shell and successfully authenticates with administrative credentials, then this vulnerability can be exploited.

The Good News: A10 Networks has NOT been able to replicate this condition remotely with any A10 products yet. One of the reasons why Shellshock received an alarming 10.0 exploitability score from NIST is because attackers can remotely exploit the vulnerability. Anyone with an Internet connection can potentially locate vulnerable devices, execute arbitrary code, and takeover systems.

Fortunately, because A10 products' data plane interfaces are not vulnerable to Shellshock, remote attackers cannot exploit it. For most A10 deployments, administrators can only access the management interfaces through an out-of-band management port. This means that an attacker would need to gain local access to an A10 product’s management interface before they could exploit this vulnerability.

In addition, an attacker would need to successfully authenticate with administrative read/write privileges before they could exploit Shellshock. Since an attacker would need administrative rights to take advantage the vulnerability, Shellshock would not necessarily grant additional privileges beyond what they would have as an A10 product administrator.

It is important to note that A10 products' web user interface does not use CGI. Plus, management processes do not spawn Bash to perform their tasks. Therefore, it is extremely unlikely that a tainted variable would propagate to an environment where Bash could execute it. As a result, the attack surface for this vulnerability is extremely limited on A10 Thunder, AX, ID, and EX series products.

Software Patch Availability: Despite the limited attack surface, A10 Networks recommends that A10 customers apply a security patch to mitigate the Shellshock Bash Bug. To view the A10 Security Advisory and download software patches for A10’s Advanced Core Operating System (ACOS), please visit the A10 Customer Support portal.

Since we anticipate that more Bash-related vulnerabilities may be uncovered in the coming weeks, we will continue to monitor security mailing lists, forums, and CVE databases and swiftly issue new security patches, as needed. We are committed to keeping our customers satisfied and secure. So we will respond promptly to new Bash security issues or other vulnerabilities as they emerge.

Protect Vulnerable Infrastructure with A10
With Apache web servers powering over fifty percent of active websites,[2] application owners might be worried that their websites will be exploited. If you load balance your applications with A10 Thunder or AX Application Delivery Controllers (ADCs), don’t worry, we’ve got you covered.

A10 recommends that customers with Apache web servers and CGI scripts configure the following aFleX script to mitigate known Shellshock attack vectors. A10 customers running ACOS version 2.7.0 or higher can apply this aFleX rule to HTTP and HTTPS Virtual Ports. See the A10 Security Advisory for more details and performance considerations. This rule may be updated periodically as new information is gathered about the Shellshock bug.

aFleX rule for protecting origin servers with vulnerable services:

when HTTP_REQUEST {
if {[HTTP::request] contains "() \{"} {
log "Detected CVE-2014-6271 attack in a request from [IP::client_addr]
request was [HTTP::request]"
TCP::close
drop
}

if {[HTTP::query] contains "() \{"} {
log "Detected CVE-2014-6271 attack in a request from [IP::client_addr]
query was [HTTP::query]"
TCP::close
drop
}

if {[HTTP::header count] > 0} {
foreach req_header [HTTP::header names] { if {[HTTP::header values
$req_header] contains "() \{" } { log "Detected CVE-2014-6271 attack in a
request from [IP::client_addr] in
header: $req_header"
TCP::close
drop
}
}
}

if {[ HTTP::cookie count] > 0} {
foreach r_cookie [HTTP::cookie names] {
if {[HTTP::cookie values $r_cookie] contains "() \{" } { log "Detected
CVE-2014-6271 attack in a request from [IP::client_addr] in
Cookie: $r_cookie"
TCP::close
drop
}
}
}
}


[1] Note that not all systems with Bash are vulnerable to the Shellshock bug.
[2] Netcraft September 2014 Web Server Survey

Add new comment