ShellShock: GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271)

September 24, 2014

Summary

A remotely exploitable flaw has been discovered in GNU Bash that allows code execution through specially-crafted environment variables.
 
This flaw is said to affect Linux distributions utilizing GNU Bash.
 
Major attack vectors include HTTP requests to CGI scripts and OpenSSH. 
 
Importantly, note that on Linux systems where /bin/sh is symlinked to GNU Bash (/bin/bash), any popen() or system() calls from within languages such as PHP would be of concern due to the ability to control HTTP_<...> variables in the environment. [3]
 
Users are urged to keep tabs on this vulnerability as more attack vectors and affected products (e.g. devices running embedded versions of Linux) may be verified soon.

 

Impact

Successful exploitation of this bug can result in remote code execution.

Vulnerable

  • GNU Bash up to and including version 4.3 [1]
  • OpenSSH through ForceCommand, AcceptEnv, TERM, SSH_ORIGINAL_COMMAND variables
  • Apache HTTP Server via themod_cgi and mod_cgid modules
  • Scripts executed by unspecified DHCP clients
  • Other situations in which setting the environment occurs across a privilege boundary from Bash execution

Recommendations

Users are urged to patch Linux systems immediately.
Most major Linux distributions have released or will soon release patches for GNU Bash that fix this vulnerability. Links to patches and CVE-2014-6271 support pages have been included below. 
If your distribution is not listed below, please consult your vendor's support resources for fix details.
RedHat:
Debian:
Ubuntu:
Novell/SuSE:
CentOS:

References