Shellshock Vulnerability Update

Print Friendly, PDF & Email

This post was updated on 9/30/2014

On September 24, a security researcher disclosed a vulnerability in bash dubbed Shellshock. Bash is widely used, and the vulnerability is not a Barracuda-specific issue but rather one that impacts any system that uses bash. This vulnerability allows hackers to easily insert malicious code into web servers to carry out attacks and steal data.

The Barracuda security team is aware of this report and is evaluating which, if any, Barracuda products are affected by this Linux vulnerability. To address the vulnerability, we released secdef 2.1.14182, which was rolled out through our automatic update mechanism to all customers with an active Energize Updates subscription. As always, we recommend that customers enable automatic attack definition updates, and keep their systems up to date with the latest Firmware release.

We will update this blog post with more information as it becomes available.  If you have any questions about this vulnerability, please contact our support team at 888-268-4772.

Register here for a complimentary webinar to learn more about the Shellshock vulnerability and how the Barracuda Web Application Firewall can be used to stop this attack.  Webinar: Friday, September 26, 10am PDT.

For a risk-free 30-day evaluation of the Barracuda Web Application Firewall, click here.

Shellshock FAQ

The information below concentrates primarily on how the bash shell vulnerability can be exploited over the network. Details of the root cause of the vulnerability can be found online in several references:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169

What is this new “shellshock” vulnerability?

This vulnerability allows remote code execution in servers that use the bash shell. Bash is the default shell in most Linux distributions. The affected versions are GNU Bash through 4.3.

The vulnerability is identified by its CVE IDs: CVE-2014-6271 and CVE-2014-7169.

The initial fix did not completely fix the vulnerability; hence another CVE ID was needed to track the leftover vulnerability.

Why is this so dangerous?

Many network services pass user supplied inputs to the bash shell. Attackers can manipulate the inputs and execute arbitrary commands via the bash shell.

What network services are vulnerable?

The vulnerability can manifest as several attack vectors. Any services available via the network, where the bash shell environment variables are set from values in user’s inputs, are vulnerable. So far, Apache HTTP, OpenSSH, and CUPS are known to be affected.

What is the attack vector for Apache HTTP?

When using CGI with Apache, the CGI creates environment variables from the HTTP request, specifically the headers and query string. An attacker can manipulate the request to embed bash shell commands in these inputs.

For example, in a normal HTTP request, the following attack strings in the User-Agent HTTP header expose the vulnerability, as confirmed in Barracuda’s labs:

Request 1:

GET /cgi-bin/printheader.cgi HTTP/1.0

User-Agent: () { (a)=>\' bash -c “ls /etc; cat echo”

Request 2:

GET /cgi-bin/printheader.cgi HTTP/1.0

User-Agent: () { -;}; /bin/rm /tmp/y.txt

The CGI on the server side picks up this value and sets it as the bash shell’s environment value. In the process it also executes the command above (in red). While the commands above are trivial, it could be a dangerous one that removes or replaces important files, etc.

Does the Barracuda Web Application Firewall secure against this attack?

The Barracuda Web Application has generic signatures that mitigate this vulnerability. These are in the OS Command Injection Strict rule set. By default, this is not applied to header values, however. Barracuda has created a new attack definition update that will update the OS Command Injection rule set to have specific signatures to protect against this attack.

If you have not updated the bash shell across your web servers, or have reason to believe that you are affected, we strongly recommend updating to the latest attack definitions. Note that attack definitions are automatically updated by default, unless you have explicitly turned this OFF.

We have released Attack Definitions (attackdef) version 1.78 which contains enhancement to our OS Command Injection pattern group to catch the attack vectors in the exploits for CVE-2014-6271 and CVE-2014-7169.

You can view your attackdef verion on the ADVANCED > Energize Updates page.

For more information on configuring the Barracuda Web Application Firewall to protect your systems from Shellshock, visit this post.

How long could I have been vulnerable? Is there a way to find out?

The vulnerability could have been exposed from the time you were using a vulnerable Apache server with CGI and bash environment. Attacks like this are hard to detect, and if you do not have OS level auditing turned on, there would be no logs or trails to confirm if the vulnerability was indeed exploited. This makes it even more critical to have a web application firewall in place for prevention rather than relying on detection after the fact.

Does the Barracuda Load Balancer ADC secure against the shellshock vulnerability?

Yes, the Barracuda Load Balancer ADC includes the Application Security module. The settings shown above can be done from the Security > Allow Deny page.

Can this attack vector come in through query parameters?

In our test lab, the CGI protected the query string that it picked up from the request using quotes, which in turn prevented any embedded bash commands from being executed. However, there could be other setups where the attack is possible. The default security policies associate OS Command Injection protection with URL parameters, so this should be secured immediately with the new attack definitions.

Update: 9/30/2014
We continue to monitor this situation as it evolves.

This morning we released Security Definition 2.1.14193 to patch CVE-2014-6277, CVE-2014-6278, and CVE-2014-7169 (‘aftershock’ and two other related vulnerabilities) in the widely used GNU bash utility affecting a broad range of systems across the Internet. This Security Definition is available to all our appliance customers with active Energize Update subscriptions.

In the aftermath of CVE-2014-6271 (shellshock), we are continuing to aggressively patch and test our products and services to secure them against new vulnerabilities being reported, and have been following industry best practices around remediation.

You can find all of our shellshock related posts at http://cuda.co/shellshock. You can follow our techalerts at https://www.barracuda.com/support/techalerts.

Scroll to top
Tweet
Share
Share