Analysis of CVE-2014-6271: The Bash Shellshock Vulnerability Report

Verified

Added on 2019/09/19

AI Summary

This report provides a detailed analysis of the CVE-2014-6271 vulnerability, also known as the Bash Shellshock vulnerability. The report begins with an executive summary, which introduces the vulnerability and its impact on various systems, including Linux and UNIX-based operating systems and web servers using CGI scripts. The technical description delves into the vulnerability's nature, explaining how attackers can execute arbitrary code remotely by injecting malicious code into environment variables. The report outlines various attack vectors, particularly those involving CGI scripts and web servers, and explains how attackers can exploit the vulnerability by manipulating HTTP requests. Furthermore, the report discusses mitigation strategies, such as implementing Mod_security rules, setting IPTables rules, enforcing privileged mode for Bash, and monitoring logs. The remediation section emphasizes the importance of updating Bash and applying system-wide patches. The report concludes with an exploitation scenario, detailing how an attacker might exploit the vulnerability to gain access to a server and potentially cause a denial-of-service attack. References to relevant sources are also included.

Executive Summary
This paper talks about the critical vulnerability referred as the CVE-2014-6271. This
vulnerability occurs in the BASH command line. BASH is the command line tool or shell for
the GNU based operating system. BASH is an acronym that stands for the ‘Born Again
Shell’. They are used in many Linux and UNIX based operating system including Apple’s
Mac OS X. The vulnerability has been reported by the Department of Homeland Security.
They released a statement that provides additional details about the GNU Bash vulnerability.
This vulnerability allows for an attacker to execute shell commands remotely. This is done by
the attacker by way of attaching malicious code in several environment variables that is being
used by the underlying operating system.
Technical Description
Vulnerability Description
GNU Bash from version 1.14 to version 4.3 has a vulnerability in them that allows for
commands that have been placed after the functions in the environment variable thereby
allowing attackers remotely to execute arbitrary code with the help of a specially made
environment that allows network based exploitation [1]. In instances where this particular
vulnerability is exposed includes the following:
 Apache HTTP Server, when using mod_cgid or mod_cgi scripts which is either
written in bash or GNU Bash subshells or else in any other system which makes use
of /bin/sh interface.
 Bypassing or overriding the ‘ForceCommand’ feature in OpenSSH sshd as well as
limited protection for Git / Subversion deployments that are needed for restricting
shells which also allows for arbitrary execution.
 Allowing arbitrary command execution on a client DHCP machine.
Systems that are affected by this vulnerability includes:
 GNU Bash up until version 4.3. [2]
 Mac OS X systems as well as Linux / UNIX based systems wherein Bash is an
integral part of the operating system.
 Any UNIX or BSD system wherein GNU Bash could be installed
 Any operating system based on UNIX wherein /bin/sh is implemented as an interface
in GNU Bash.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Attack Vector
There are many kind of attack vectors possible for this vulnerability including both remote
and local scenarios. However, the most dangerous ones are typically where CGI scripts and
web servers are involved. Any kind of web server which is running a CGI scripts and making
use of Bash could be easily exploited right now and providing the ability to attackers to run
arbitrary code remotely [3].
How this happens is because a typical web server runs various CGI scripts and has many
environment variables wherein the values are obtained via HTTP requests. This itself means
that the attacker could easily inject arbitrary code in this environment which would be
received by the CGI script and thereby allowing them to carry out an attack. For instance,
web servers take a value about ‘User-Agent’ which is specified in the HTTP Header and then
set the variable specific to that usr agent. An attacker could potentially exploit the
vulnerability by sending a malicious value and then the web server would set the server
protocol with that value thereby making the exploit possible [4].
Mitigation
To begin with, users should run the Bash command to check whether or not Bash is still
vulnerable and if it is, then they can do the following to mitigate the Bash Shell Shock
vulnerability
 Implementing Mod_security rules in order to reject HTTP requests that contains such
data that may be interpreted by Bash a definition of function set in its own
environment.
 Settig IPTables rules in order to drop those packets that contains strings that may be a
part of the attack [5].
 Implementing a system based mitigation by enforcing the use of Bash in privileged
mode.
 Monitoring logs for attempted, unsuccessful and successful command executions.
Remediation
The first and foremost step towards fixing the Bash Shellshock vulnerability is to update
Bash itself. Bash can be updated in many Linux distributions with a simple command by

making use of the standard package manager so as to update Bash. These can be done in
Ubuntu, Fedora, Red Hat, Debian, CentOS among others.
Simultaneously, Mac OS X users would need to follow the default update route provide by
Apple via their Store and apply a system-wide update patch to fix the vulnerability. These
patches should be applied as soon as they are made available.
Apart from these, hardware based firewalls, switches and network routers would also be
vulnerable and they would need to be applied system patches or updates too as soon as they
are made available for the respective versions.
Exploitation Scenario
 The attacker would modify its own User Agent to begin with and then he would craft
an HTTP Request with malicious requests.
 The attacker would find a server and then will attack it.
 The attacker would pipe its request with multiple commands because each and every
server is configured differently and not all commands may work on it. Hence piping
multiple requests increases the chances.
 The attacker may open up shell on the server and get root access or do multiple pings
bringing the server to a crawl essentially causing Denial of Service attack.
References
[1]"NVD - CVE-2014-6271", Web.nvd.nist.gov, 2018. [Online]. Available:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271. [Accessed: 23- Apr-
2018].
[2]T. Enache, Shellshock Vulnerability. 2016.
[3]A. Mary, Shellshock Attack on Linux Systems – Bash. 2015.
[4]A Comprehensive Analysis on Bash Shellshock (CVE-2014-6271)_V1.52. 2014.
[5]"Mitigating the shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169) - Red Hat
Customer Portal", Access.redhat.com, 2018. [Online]. Available:
https://access.redhat.com/articles/1212303. [Accessed: 23- Apr- 2018].