Shellshock Protect Your Web Applications
The security flaw in the bash shell discovered last week can be exploited to attack web servers and web applications that use user input to execute shell scripts. The Web Application Firewall of the Nevis Security and Compliance Suite enables companies to effectively protect their applications from such attacks. test
The security flaw in the bash shell (CVE-2014-6271) discovered last week can also affect web servers and web applications. This is the case if a web application uses input by the end user to execute a shell script. A common implementation for this is the CGI (Common Gateway Interface) method which is often used to generate dynamic content on web pages and web applications.
Anatomy of a Shellshock attack with CGI
According to the CGI specification, a web server maps parts of the web request to environment variables that can be accessed by CGI scripts. For example, the search values entered by the user may be accessible through the environment variable QUERY_STRING. Special headers may be mapped to environment variables as well.
Since the attacker controls all of these values, he is able to define some of the environment variables inside all bash processes executed by a web server under the CGI specification. Some of the variable values may be set through input fields in a web application, other variables may be sent to the server by manipulating the HTTP header variables, for example with the help of a web browser plugin. As soon as the attacker is able to submit and define a variable in a vulnerable bash shell via input in a web form or web application, he can launch an attack.
Protection against Shellshock attacks
A Web Application Firewall (WAF) is a server component placed in front of the actual web server or web application server. The WAF is completely transparent and invisible to the end user. It filters all requests to the server by applying a set of configurable rules. A main use case is to filter any input by users of the web application to check for potentially harmful content.
Two very common attacks for which rules are available are cross-site scripting (XSS) and SQL injection. The WAF filter blocks or patches input sent by the user to the server in such a way that the actual web application is protected. This means that also parameters and variables sent to a CGI script on the web server are filtered by the WAF rules to remove problematic input. So to protect a web server already secured by a web application firewall from a shellshock attack, it is only necessary to ensure a corresponding rule is defined and activated in the WAF rule set.
AdNovum's Security and Compliance Suite Nevis includes a WAF component that implements a layered security architecture as well as the required interceptor and secure reverse proxy patterns. Registered Nevis customers will find instructions on how to configure an anti-shellshock rule set on the Nevis blog. In addition, we advise all companies to patch vulnerable bash shells on all web servers and web applications.