Bash Shellshock security update

September 25, 2014

Yesterday, a serious Bash shell vulnerability named Shellshock (CVE-2014-6271 / CVE-2014-7169) was announced. Updates to your servers were applied as soon as they became available.

For servers managed by ServerPilot, the potential risk was limited to PHP scripts that invoked shell commands or executed subprocesses using functions such as "system", "exec", and "popen".

Vulnerability Details

The Shellshock vulnerability was due to the Bash shell unintentionally allowing execution of commands when environment variables are defined. As most CGI configurations make request headers available to scripts as environment variables, it was possible for an attacker to set a malicious HTTP request header that would include commands that could be unintentionally executed by CGI scripts when the variable definition was evaluated by Bash.

With the FastCGI configuration used by ServerPilot, environment variables set by an attacker through HTTP headers only had the potential to be evaluated by Bash if a PHP script invoked a subprocess. For example, if a script used "exec" to call a system command for resizing images, the script may have been vulnerable. Scripts that did not invoke subshells were not vulnerable.

What We Have Done

On Wednesday, September 24, we updated all of our users' servers with the patched version of Bash provided by Ubuntu as soon as it was released (USN-2362-1). This update addressed the immediate risk, though the fix was known to be incomplete and a second patch was in development and testing.

On Thursday, September 25, Ubuntu released a second patched version of Bash to address additional aspects of the bug (USN-2363-1). As soon as it was released, we updated all of our users' servers with this second patched version of Bash.

What You Should Do

No further action is required by you. Your servers do not require a reboot.

As always, don't hesitate to contact us if you have questions or concerns.

Update: 10:07pm PST, September 25, 2014

It was discovered that the bash update released by Ubuntu for Ubuntu 14.04 did not contain the full second patch. They released a third bash package for Ubuntu 14.04 and we immediately pushed this to all 14.04 servers.

Update: 8:46am PST, September 26, 2014

Some users have noticed that certain command line proof-of-concept code seems to indicate that the patched bash is still vulnerable. Your servers are not vulnerable. The proof-of-concept demonstrates other flaws in bash that are not directly related to the high-impact risk of the initial Shellshock vulnerability.

For example, the following command when executed from the command line will print the string "vulnerable":

env X='() { (a)=>\' sh -c "echo vulnerable";

However, this is not a concern for your web applications as HTTP headers can only set the values of environment HTTP_* variables, not control the entire environment variable definition as it is parsed by bash.

As more researchers focus on finding bugs in bash, more parser bugs are likely to be found. However, these parser bugs were not the cause of the Shellshock vulnerability. The security community will certainly be looking for ways they may be of concern to web applications, but it's important to not confuse them with the obscure feature of bash that put web servers, DHCP clients, and many other services at risk of remote exploit due to Shellshock.

To learn more, see Michal Zalewski's excellent discussion of the Shellshock vulnerability.