Bourne-Again Shell (bash) has the majority of Unix/Linux (including OS X) admins sweating bullets. You should be, too--attackers have already developed exploits to unleash on unpatched web servers, network services and daemons that use shell scripts with environment variables (this can include network equipment, industrial devices, etc.)
Jaime Blasco, AlienVault Labs Director, gives a good explanation of the exploit in this blog post. And, the video below gives you a quick overview of how AlienVault Unified Security Management (USM) can detect malicious traffic on your network trying to locate and exploit this vulnerability.
Basically, this vulnerability allows an attacker to execute shell commands on a server due to an issue in how bash interprets environment variables (such as “cookie”, “host”, “referrer"). Exploiting this allows an attacker to run shell commands directly. Once they have access to run shell commands, they own the server.
What can I do?
If you’re already sanitizing inputs across your web applications to protect against SQL injection and cross-site scripting, you’re on the right track. This will give you at least a basic defense.
While CGI is still around on most sites, it is usually restricted to little bits of code that have been around for years. These bits of code have probably not updated under the rule-of-thumb “If it ain't broke, don’t fix it.”
Well – guess what? It’s broke. Fix it. It’s time to find an alternative. But, in the mean time, it’s a good idea to disable any CGI that calls on the shell.
Some have recommended using something other than bash in your applications (Dash, Fish, Zsh, Csh, etc) but be sure to put some thought and careful planning into that instead of a knee-jerk ‘rip and replace’. Certain shells might work differently or even be missing some of the bash functionality that your applications rely on, rendering them inoperable.
The real fix is going to be patching of bash itself, either from the developers of the distribution you use, or, (if you’re savvy) via your own compiled code. Until then, the steps mentioned above are good first steps to defending yourself.
How can AlienVault help?
AlienVault Unified Security Management (USM) provides asset discovery, vulnerability assessment, threat detection (IDS), behavioral monitoring and SIEM in a single console, giving you everything you need to detect vulnerabilities like Bash, and attempted exploits.
With AlienVault USM you can:
- Discover and inventory your network assets automatically
- Scan for thousands of vulnerabilities, including Bash
- Detect attacks and activity with known malicious hosts
- Prioritize risks with correlated vulnerability and threat data
- Benefit from threat intelligence updates developed by security experts at AlienVault Labs
Within 24 hours of the discovery of the Bash vulnerability, the AlienVault Labs team pushed updated network signatures and correlation directives to the USM platform, enabling users to detect the vulnerability in their environment, and detect attackers attempting to exploit it.
Learn more about AlienVault USM:
- Download a free 30-day trial
- Watch a demo on-demand
- Play with USM in our product sandbox (no download required)
- Attend our webcast “The Bash Vulnerability: Practical Steps to Protect your Environment”