14 DAY TRIAL // As the Shellshock bug (CVE-2014-6271) in the Bash command interpreter used by Linux and Unix systems is serious business, multiple online tools have been created specifically for testing web servers against the vulnerability.
Security researcher Andrei Avădănei, president at Cyber Security Research Center in Romania (CCSIR), has created a web page where users can check if a website is vulnerable to the bug.
The most popular vector used in a Shellshock attack consists of HTTP requests to CGI scripts, which are used to generate dynamic content.
Simple tools return the result in seconds
On the CCSIR test page, websites are verified by building a specially crafted header that is supposed to receive an answer from the server if it runs a vulnerable version of Bash.
The researchers warn that testing a single page with their tool and receiving the green light does not necessarily mean that the entire website is safe, “Your website might still be vulnerable in a particular page, usually found in /cgi-bin/* folder or from special private file that is using bash shell commands. We strongly recommend to update your servers.”
No critical information is collected from the scanned website.
Another test tool has been created by software developer Brandon Potter, and it is designed to exploit different HTTP headers to execute “wget” and “curl” requests.
With both tools, the vulnerability is confirmed if an answer is received from the targeted server.
Shellshock bug affects numerous devices
The risk posed by Shellshock is not limited to web servers, as vulnerable versions of Bash (1.14 through 4.3) have been included in numerous embedded systems running Linux operating system.
Given the prevalence of Linux in Internet-of-Things (IoT) devices, patching them up could prove to be a task more difficult than in the case of the Heartbleed OpenSSL bug.
The glitch, which has been around for more than 20 years, allows a potential attacker to run arbitrary code remotely through injecting trailing code in the function defined for a variable.
The level of complexity for abusing the environment variables to process trailing commands in functions is not high.
No authentication is required to exploit the bug, which can lead to unauthorized modifications of the affected systems, as well as service disruption and unauthorized disclosure of information.
Patches for Ubuntu (14.04 LTS, 12.04 LTS and 10.04 LTS), CentOS (5 through 7) and Debian are already available and users are recommended to make it a priority to apply them.