A serious Bash vulnerability has been discovered on Wednesday (first public mention of it seems to be this post on seclist continuing here with more details). This allows an attacker to execute any code on a vulnerable server. This is even more serious than the heartbleed vulnerability that swept through the Internet couple of months ago.
This is not a WordPress vulnerability, but a server vulnerability. It threatens to become one of the most widespread and dangerous exploits with serious security implications (it received both Impact and Exploitability scores of 10/10). If you have a server, own/manage websites or use a Mac – read on.
Do you have vulnerable bash?
There are several ways you can test.
(Update: ManageWP WordPress plugin and ManageWP code snippet now test for both disclosed shellshock vulnerabilities CVE-2014-6271 and CVE-2014-7169 )
1. Use Shellshock check WordPress plugin
ManageWP released a WordPress plugin that checks if your server has vulnerable version of bash installed.
Download Shellshock check WordPress plugin
To use it, just install the plugin and click Run test.
2. With ManageWP
If you own/manage multiple sites, we have published a code snippet which allows you to check all your websites with a click of the button.
Access it through Tools -> Code Snippets (available to Professional and Business plan users, as well as trial users). Scroll to public snippets and locate ‘Shellshock vulnerability check’ then click Load.
This is what the snippet looks like.
Select sites you want to check for vulnerability and click Execute. You will get a response that will look like this.
Note that if a server is vulnerable, all sites on the server will report vulnerability.
3. If you have admin access to your server
If you have shell access to your server you can run this code.
env x='() { :;}; echo VULNERABLE' bash -c 'echo hello'
If you see the string VULNERABLE in the output your bash is vulnerable.
How does Shellshock work?
This is the official explanation on NIST:
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
Specific examples of how to use the exploit are already plentiful and include scripts that detect vulnerable servers and access the password file, basically possibilities are endless.
What can you do?
If you have access to your server simply update bash via
yum update bash
or
apt-get install --only-upgrade bash
If you do not have access then you need to contact your server/hosting support and point them to this post, they will know what to do.
Shellshock also affects Macs. Useful information for Mac users can be found here.
For more detailed analysis of the exploit see here.
We will follow the proceedings of the event and update you with the most important information accordingly.
Mike
Great Post. I personally used the Unix code to check for the vulnerability and patched it using Yum. Really simple to do.
If you’re using WordPress hosting or a managed hosting service, it should be your host which checks for this, and not you. Get what you pay for and demand patching.
jjsararas
Wow this is really great. Another ‘5 minutes instead of 2 hours’ moment. Thanks for being so on top of this Vlad and team, instills even more confidence.
Jacqueline Hill
OMG I didn’t think it was possible butI love ManageWP even more now
francois
Thank you for the heads-up and the service of the plugins/code ! Much appreciated.
Zak Cagaros
Have any websites been compromised with this vulnerability?
ManageWP
The WordPress plugin is now hosted at the WordPress.org repository https://wordpress.org/plugins/shellshock-check/
ttownsend
As a long time PAYING customer…I too am disappointed you are not providing access to this TOOL for a SECURITY issue of this magnitude. Pretty poor excuse here “advanced in nature and may cause more requests to our support team”. The reason many are using the Standard Plan has NOTHING to do with expertise. Try again !!
ManageWP
Unfortunately changing the way account privileges and entire application works is not switching a button. I hope you understand. We do care about the entire WordPress community and that is why we also released a free WordPress plugin which does the same check.
clayasbury
This is a professional courtesy above and beyond ManageWP’s TOS and what most vendors are doing – even those in the hosting and security space.
alvin.caoyonan
Thanks guys. Vulnerability check was quick and easy.
loris
Thank you for this!! Another great reason for being your customer 🙂
ManageWP
Thanks Loris!
lauraldunkley
Thank-you! It worked. You guys make it so easy to manage multiple websites.
ManageWP
Thanks Laura, glad to be of help 🙂
Not Enter
Thanks been nice expression.
cliff
Terrific service. Thank you, ManageWP!
rjdougan
I am getting a false positive per one of my hosts. I contacted the host after the plugin scan state the server was vulnerable. They have advised me that that patch has been installed. Is anyone else getting a false positive on a server still being vulnerable?
SusanMarshallVA.com
In ManageWP, there is an option to Make it public. Can you tell me what is being made public and to who?
Also, for those sites identified as Vulnerable, what should I be asking of the respective web hosting companies?
Vladimir Prelovac
You should not do anything else but to point your host to this post.
Mikhail Levin
It would be very NICE, if that “Tools/Code Snippet” was enabled for the subscribers of the Standard Plan too. Even to a Free subscribers…
With high critical nature of this issue it would be very useful to have ManageWP’s help identifying the vulnerability for all subscribers, not only those who pay more money.
Without it the value of the Standard Plan appears less appealing. And free subscribers will be cut off too.
As with a case with a Backup tool – the quality of your service is much more valuable than a quantity.
Thanks.
ManageWP
Thanks for the suggestion. It is something we may consider, the Code Snippet tool has always been a part of the Professional plan as it is advanced in nature and may cause more requests to our support team (especially if we opened it to free users). It is always a matter of balance. Note that we also released a plugin which allows everyone (not just ManageWP customers) to check for vulnerability.
duane.stevens
Only instructions for Plug-in is to “run test.” Where? I’ve installed and activated. Where do I look to run the test?
duane.stevens
Settings | Shellshock
Dave Clements
It seems that your shell commands (and thus, probably your WordPress plugin) only consider the initial exploit, CVE-2014-6271 and not the second one that was uncovered yesterday, CVE-2014-7169. You might want to look at shellshocker dot net for the latest information on what the exploits are and how to patch them.
ManageWP
Thanks Dave! We will take a look into this and update accordingly.
Update: both vulnerabilities are now being checked against!