Last updated October 1st to include information on Tripwire Enterprise and Tripwire Log Center detection capabilities, additional information about the impact of ShellShock, as well as links to the Tripwire Customer Center and ongoing ShellShock blog coverage.
 

'ShellShock': Crushing the Bash Bug

ShellShock is a unique vulnerability due to the many attack vectors already identified and the assumption that many other vectors have not yet been identified. This vulnerability is a true remote code execution issue and has already been tagged with the term ‘wormable’.

The Bash shell processes commands for controlling Unix and Unix derivative operating systems. Attackers can exploit a vulnerability in Bash to take complete control of targeted systems by passing commands that execute arbitrary code. This additional code can be used to load malware, delete content, and steal data. In addition, security experts warn that this bug is ‘wormable’, a self-propagating condition that allows malware to spread rapidly from system to system without human intervention.

Unix and Unix derivative operating systems are used in a wide variety of consumer and networking products, as well as many other devices found across the enterprise:

  • Tablets and smart phones
  • VOIP equipment
  • Badge sensors
  • Firewalls, routers and switches
  • Printers, 3D printers and scanners
  • ‘Smart home’ appliances including HVAC controllers and other smart appliances
  • Smart TVs, video projectors and cameras
  • Smart meters for energy
  • Industrial controllers
  • Point of sale devices and hand held barcode scanners
  • Wearable devices including Google Glass, smart watches and health monitors

Since Shellshock can affect so many different devices and because there are many applications that expose Bash, finding and remediating this critical vulnerability quickly across multiple machines can be a daunting task.

“This vulnerability is more severe than Heartbleed. It’s extremely easy to exploit and if an attacker is successful they can take complete control of the target system. Unfortunately, this is one of the rare vulnerabilities with the potential to be a wide scale worm because it is extremely easy to exploit and there are millions of vulnerable targets.”

Lamar Bailey, Director of Tripwire’s Vulnerability and Exposure Research Team (VERT)

 

How ShellShock Works

ShellShock takes advantage of a vulnerability in Bash (one of the shells available on modern *nix operating systems).  Bash is essentially a limited programming language and supports the declaration of both variables and functions (known as shell variables and shell functions). To store and use a function, the user updates an environment variable with the value of the function. However, BASH reads all input to the environment variable, which may include more than just the function definition.
 

A typical Bash Function definition

neogeo:~ treguly$ VERT() { echo "Tripwire VERT"; };
neogeo:~ treguly$ VERT
Tripwire VERT

 

The vulnerability in Bash

neogeo:~ treguly$ env VERT='() { echo "Tripwire VERT"; }; whoami' bash
treguly

 

As you can see, the whoami statement is executed. The following bash call is required as we need an execution that calls the environment variable and processes it. This is why the vulnerability doesn’t execute as soon as you store the variable.

Keep in mind that we’re looking at the local version of this vulnerability; there are many remote vectors. The most popular discussion point is the execution of CGIs on websites. Many CGIs pass data to BASH and all of them are vulnerable. In addition to CGIs, people have been discussing OpenSSH, DHCP, and a number of other potentially vulnerable services.

 

Responding to ShellShock

“Despite Heartbleed, it is rare for a vulnerability to be both as extensive and severe as the Bash bug. This vulnerability has been around for a very long time, making the discovery of all the vulnerable systems on an enterprise network very challenging. Bash itself isn’t directly surfaced on the network, so you need to check every potentially vulnerable system, including many devices that are difficult or impossible to patch.”

Tim Erlin, Director of IT Security and Risk Strategy for Tripwire

 

Tripwire VERT and supporting teams have been working to rapidly get tools into the hands of customers and the community to help mitigate the risks that this exploitable vulnerability poses. VERT is continuing to investigate other exploit vectors and vulnerable services on an ongoing basis and we will continue to expand our coverage as we learn more about this vulnerability.

Tripwire offers several tools to help you detect and respond to ShellShock, including comprehensive coverage for the multiple CVE IDs and vendor patches associated with the vulnerability.
 


Tripwire IP360 (Standard Rules)

To find the ShellShock vulnerability in your environment with Tripwire IP360, simply update to the latest ASPL release and run your scans as usual. Customers can visit the Tripwire Customer Center for an up-to-date list of the 25+ checks available in Tripwire IP360 for the CVE IDs and vendor patches associated with ShellShock.

 

Tripwire IP360 (Custom Rules)

In addition to standard rules for ShellShock, Tripwire VERT has published custom rules that perform remote and local checks for detecting ShellShock using Tripwire IP360. For instructions on implementing the custom rules below, please read this tutorial or refer to the Tripwire IP360 Administration Guide.

Remote HTTP

 

Local SSH-DRT

 


Tripwire Enterprise

A simple rule is available to Tripwire Enterprise customers for detecting vulnerable Bash versions. Additionally there is a Tripwire Enterprise policy test to quickly evaluate the rule results looking for vulnerable nodes. Visit the Tripwire Customer Center for more information.
 


Tripwire Log Center

ShellShock content for Tripwire Log Center is available providing correlation rules for Snort IDS signatures as well as Apache logs for these Shellshock related vulnerabilities:

  • CVE-2014-6271
  • CVE-2014-6277
  • CVE-2014-6278
  • CVE-2014-7169

These rules enable correlation of active exploit attempts as well as the ability to review logs prior to systems being patched and intrusion detection signatures deployed. In addition, customers feeding Tripwire IP360 into Tripwire Log Center can use these rules to detect actual exploit attempts on patched and unpatched systems. If customers have Tripwire Enterprise they can then drill down into these systems to identify if any unauthorized changes may have been made to the systems, or other indicators of compromise. Visit the Tripwire Customer Center for more information.
 


Free Python Script

A free tool available from the Tripwire VERT GitHub account can perform three styles of tests for ShellShock:

  1. Local test (of the Bash shell)
  2. Remote HTTP(S) test
  3. HTTP(S) test based on spidering a local directory

 

The local test is the simplest:

neogeo:Documents treguly$ ./shellshock_test.py local
Local Bash Prompt has been confirmed vulnerable.

The remote test looks like this:

neogeo:Documents treguly$ ./shellshock_test.py remote --target 192.168.2.101 --path /cgi-bin/example.cgi
192.168.2.101 is vulnerable: http://192.168.2.101:80/cgi-bin/example.cgi

The third option is slightly different:

treguly@deadzone:~$ ./shellshock_test.py remote --spider /usr/lib/cgi-bin/ --url /cgi-bin/ --target 192.168.2.101:80
192.168.2.101:80 is vulnerable: http://192.168.2.101:80/cgi-bin/example.cgi

Instead of ‘target’, you can use ‘targets’ to specify a file with a list of address:port combinations and instead of ‘path’, you can use ‘paths’ to specify a list of paths to test. Combined, you can use these to scan multiple locations quickly. Additionally, you can use the log option to write the results to a log file.
 


Free Vulnerability Scanner for Internal Networks

Tripwire SecureScan is a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. The tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology—and it detects the ShellShock vulnerability.