Shell Shock: The Bash Bug on Servers Hosting WordPress

Linux and Unix-based web servers, the safest you can get!  While that may be true, no operating system (or software for that matter) is perfect. The Bash Bug, also known as the Shell Shock vulnerability, presents a mega serious security problem for all servers that currently have “bash”(short for Bourne Again Shell) installed.  Chances are your WordPress site is on a server that is running bash.

What are its implications on WordPress websites and the web servers hosting them?

Huge!  If the web server is using bash, it’s vulnerable. The cyber security alerts from NIST (National Institue of Standards and Technology) has issued this vulnerability the highest level of risk for a security bug across all severity scales as follows:

CVSS Severity (version 2.0):
CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)
Impact Subscore: 10.0
Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

—    from: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

Amazingly, this vulnerability has been exploitable for 25 years since Bourne Shell was released in 1989.  A hacker could use web server cgi to gain access to files that would typically be secured and only accessible by authenticated users with adequate systems access permissions. However, unless you have 100’s or thousands of servers, the probability is quite low that you have been compromised through the Shell Shock and can avoid the risk with appropriate actions in a timely fashion.

 

What’s a WordPress webmaster to do?

If you do not have root or sudo ssh access to the web server, contact the server admin or web host that does and find out what they have done to mitigate the Shell Shock.  Chances are if they are a good web host they already patched their servers or are working on patching bash with the latest patched version across their infrastructure. Got root?  Chances are that your web hosting company is busy patching their own shared servers and not necessarily patching your dedicated web server, vps, or VM.  In that case, you might want to do this:

1.  Check for the bug:

Login with ssh to your server and issue this command to check if bash is vulnerable:

env x='() { :;}; echo shellshock bash bug exploitable' bash -c "echo test complete"

If the command returns the following, your bash version is unpatched and vulnerable:

shellshock bash bug exploitable
test complete

The command will return the following if it is not vulnerable to CVE-2014-6271:

 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 test complete

Running this command will check for the latest bash vulnerability found in CVE-2014-7169

env var='(){(a)=>\’ bash -c “echo vulnerable to CVE-2014-7169”; /bin/true

If bash is vulnerable, it will print this:

vulnerable to CVE-2014-7169

2.  Patch it up:

If your server needs to be patched, you can likely update the OS with the default package manager since most OS distributions have released 2 to 3 patches for the bug.

Ubuntu and Debian:

apt-get update
apt-get install --only-upgrade bash

CentOS, RedHat and Fedora:

yum update bash

3.  Stay informed and on top of Security:

Sign up to feeds that will keep your team informed of what security alerts may affect your WordPress web site or web server.  Here are 2 good feeds you may want to consider:

http://nvd.nist.gov/download.cfm

https://www.us-cert.gov/ncas/alerts/

The Shell Shock vulnerability does affect any computer (including laptops and desktops) that have bash installed on it (yes, that includes Mac OSX and all other OS with bash on it).

As long as you update your OS and not connect to untrustworthy networks before the bash security update patch is released and you install the update on your computer, you should be clear of danger.  Unless of course you are exposing a cgi enabled web server or have your ssh port on your laptop or desktop exposed to the internet or an untrustworthy network…  In that case, make sure you patch up quickly.

Bash developers were still working on a full-proof patch at the time that this blog article was posted.  Either way, the current bash patches should be installed as quickly as possible.  Keep an eye out to further patch releases and announcements from security alert feeds (such as those posted above).

All taken into consideration, the shell shock bash bug is a major security flaw that will greatly spill effects on the web as time passes.

It’s best to be reasonable and prevent your data and systems from being compromised and perhaps even exploited to compromise more systems.

Just like any ecosystem where people make an abode, being a contributor to polluting and destroying it is not a good idea.  This attitude contributes to making an intricately complex system relying on order much more chaotic.

Let’s keep the web as safe and clean of an ecosystem as much as we would like to keep making it an abode.

References:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

https://www.us-cert.gov

http://www.ubuntu.com/usn/usn-2362-1/

https://access.redhat.com/articles/1200223

http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

http://en.wikipedia.org/wiki/Bash_(Unix_shell)

http://www.geek.com/apps/25-year-old-bash-shellshock-bug-could-be-more-dangerous-than-heartbleed-1605349/

http://security.stackexchange.com/questions/68122/what-is-a-specific-example-of-how-the-shellshock-bash-bug-could-be-exploited

This post was written by Andre Brongniart – WP Valet Systems Engineer

Newsletter Signup

Laptop on desk

Ready to get started?

Tell us your story.

Let's Talk