Shellshock vulnerability check for WordPress

Vladimir Prelovac

A serious Bash vulnerability has been discovered on Wednesday (first public mention of it seems to be this post on seclist continuing here with more details). This allows an attacker to execute any code on a vulnerable server. This is even more serious than the heartbleed vulnerability that swept through the Internet couple of months ago.

This is not a WordPress vulnerability, but a server vulnerability. It threatens to become one of the most widespread and dangerous exploits with serious security implications (it received both Impact and Exploitability scores of 10/10). If you have a server, own/manage websites or use a Mac – read on.

Do you have vulnerable bash?

There are several ways you can test.

(Update: ManageWP WordPress plugin and ManageWP code snippet now test for both disclosed shellshock vulnerabilities CVE-2014-6271 and CVE-2014-7169 )

1. Use Shellshock check WordPress plugin

ManageWP released a WordPress plugin that checks if your server has vulnerable version of bash installed.

Download Shellshock check WordPress plugin

To use it, just install the plugin and click Run test.

Sheelshock Vulnerability check WordPress plugin

2. With ManageWP

If you own/manage multiple sites, we have published a code snippet which allows you to check all your websites with a click of the button.

Access it through Tools -> Code Snippets (available to Professional and Business plan users, as well as trial users). Scroll to public snippets and locate ‘Shellshock vulnerability check’ then click Load.

Load Shellshock test snippet
Load Shellshock test snippet

This is what the snippet looks like.

Shellshock test snippet
Shellshock test snippet

Select sites you want to check for vulnerability and click Execute. You will get a response that will look like this.

Results

Note that if a server is vulnerable, all sites on the server will report vulnerability.

3. If you have admin access to your server

If you have shell access to your server you can run this code.

 env x='() { :;}; echo VULNERABLE' bash -c 'echo hello'

If you see the string VULNERABLE in the output your bash is vulnerable.

How does Shellshock work?

This is the official explanation on NIST:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Specific examples of how to use the exploit are already plentiful and include scripts that detect vulnerable servers and access the password file, basically possibilities are endless.

What can you do?

If you have access to your server simply update bash via

yum update bash

or

apt-get install --only-upgrade bash

If you do not have access then you need to contact your server/hosting support and point them to this post, they will know what to do.

Shellshock also affects Macs. Useful information for Mac users can be found here.

For more detailed analysis of the exploit see here.

We will follow the proceedings of the event and update you with the most important information accordingly.

Vladimir Prelovac Avatar

author

Vladimir Prelovac
Vladimir is the Founder of ManageWP, and is a frequent contributor to the WordPress community – in the form of numerous plug-ins, tools, WordCamp talks and a book by the title WordPress Plugin Development.

25 responses

  1. Dave Clements Avatar
    Dave Clements

    It seems that your shell commands (and thus, probably your WordPress plugin) only consider the initial exploit, CVE-2014-6271 and not the second one that was uncovered yesterday, CVE-2014-7169. You might want to look at shellshocker dot net for the latest information on what the exploits are and how to patch them.

    Reply
  2. Mikhail Levin Avatar
    Mikhail Levin

    It would be very NICE, if that “Tools/Code Snippet” was enabled for the subscribers of the Standard Plan too. Even to a Free subscribers…

    With high critical nature of this issue it would be very useful to have ManageWP’s help identifying the vulnerability for all subscribers, not only those who pay more money.

    Without it the value of the Standard Plan appears less appealing. And free subscribers will be cut off too.

    As with a case with a Backup tool – the quality of your service is much more valuable than a quantity.

    Thanks.

    Reply
  3. SusanMarshallVA.com Avatar
    SusanMarshallVA.com

    In ManageWP, there is an option to Make it public. Can you tell me what is being made public and to who?

    Also, for those sites identified as Vulnerable, what should I be asking of the respective web hosting companies?

    Reply
  4. rjdougan@gmail.com Avatar
    rjdougan@gmail.com

    I am getting a false positive per one of my hosts. I contacted the host after the plugin scan state the server was vulnerable. They have advised me that that patch has been installed. Is anyone else getting a false positive on a server still being vulnerable?

    Reply
  5. cliff@goatcloud.com Avatar
    cliff@goatcloud.com

    Terrific service. Thank you, ManageWP!

    Reply
  6. Not Enter Avatar
    Not Enter

    Thanks been nice expression.

    Reply
  7. lauraldunkley@gmail.com Avatar
    lauraldunkley@gmail.com

    Thank-you! It worked. You guys make it so easy to manage multiple websites.

    Reply
  8. loris@oniric-creative.com Avatar
    loris@oniric-creative.com

    Thank you for this!! Another great reason for being your customer 🙂

    Reply
  9. alvin.caoyonan@adonhold.com.au Avatar
    alvin.caoyonan@adonhold.com.au

    Thanks guys. Vulnerability check was quick and easy.

    Reply
  10. ttownsend Avatar
    ttownsend

    As a long time PAYING customer…I too am disappointed you are not providing access to this TOOL for a SECURITY issue of this magnitude. Pretty poor excuse here “advanced in nature and may cause more requests to our support team”. The reason many are using the Standard Plan has NOTHING to do with expertise. Try again !!

    Reply
  11. ManageWP Avatar
    ManageWP

    The WordPress plugin is now hosted at the WordPress.org repository https://wordpress.org/plugins/shellshock-check/

    Reply
  12. Zak Cagaros Avatar
    Zak Cagaros

    Have any websites been compromised with this vulnerability?

    Reply
  13. francois Avatar
    francois

    Thank you for the heads-up and the service of the plugins/code ! Much appreciated.

    Reply
  14. Jacqueline Hill Avatar
    Jacqueline Hill

    OMG I didn’t think it was possible butI love ManageWP even more now

    Reply
  15. jjsararas Avatar
    jjsararas

    Wow this is really great. Another ‘5 minutes instead of 2 hours’ moment. Thanks for being so on top of this Vlad and team, instills even more confidence.

    Reply
  16. Mike Avatar
    Mike

    Great Post. I personally used the Unix code to check for the vulnerability and patched it using Yum. Really simple to do.

    If you’re using WordPress hosting or a managed hosting service, it should be your host which checks for this, and not you. Get what you pay for and demand patching.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *