The Shellshock Vulnerability and Alcatel-Lucent

The Shellshock Vulnerability and Alcatel-Lucent

Recent security research has discovered a serious security vulnerability in the BASH (Bourne Again Shell) Command Processor found on Unix based operating systems, commonly known as Shellshock. BASH is used in a large number of Alcatel-Lucent products and therefore Amillan advises that organisations that deploy these products should look to take action to protect their IT operations.

Who is impacted by Shellshock?

Shellshock is a new vulnerability that potentially affects most versions of the Linux and UNIX operating systems, as well as Mac OS X. Known as the “Bash Bug” or “Shellshock,” the GNU BASH Remote Code Execution Vulnerability (CVE-2014-6271/CVE-2014-7169) could allow an attacker to gain control over a targeted computer if exploited successfully.

The vulnerability affects BASH, a common component known as a shell that appears in many versions of Linux and UNIX. BASH acts as a command language interpreter. In other words, it allows the user to type commands into a simple text-based window, which the operating system will then run.

BASH can also be used to run commands passed to it by applications and it is this feature that the vulnerability affects. One type of command that can be sent to BASH allows environment variables to be set. Environment variables are dynamic, named values that affect the way processes are run on a computer. The vulnerability lies in the fact that an attacker can tack-on malicious code to the environment variable, which will run once the variable is received.

While the vulnerability potentially affects any computer running BASH, it can only be exploited by a remote attacker in certain circumstances. For a successful attack to occur an attacker needs to force an application to send a malicious environment variable to BASH.

The most likely route of attack is through Web servers using Common Gateway Interface (CGI). CGI is widely-used system for generating dynamic Web content. An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. Because the server uses BASH to interpret the variable, it will also run any malicious command tacked on to it.

Next Steps

See Alcatel-Lucent Security Advisory No SA0052 for full information on the vulnerability and a list of affected Alcatel-Lucent products.

Amillan customers that may have vulnerabilities will be contacted by their Account Manager shortly to make arrangements for the required patch fix or upgrade as appropriate. If you are concerned about Shellshock and you’re looking for further support from Amillan’s pre-sales team please do not hesitate to contact us.