Security Update for CVE-2014-6271 (Shellshock)

Security Update for CVE-2014-6271 (Shellshock)

On Wednesday morning, September 24, 2014, the Twilio security team became aware of a code-injection vulnerability in bash dubbed CVE-2014-6271 and nicknamed “Shellshock.” While Twilio does not expose any of the services identified as vulnerable in this disclosure to the public Internet, our operations team responded immediately to upgrade affected bash versions across the Twilio infrastructure.  That effort was completed in the afternoon on Wednesday.

Our current reporting suggests it is unlikely Twilio infrastructure was exposed directly, however our security team is monitoring the situation closely as research continues to become available.  The Twilio Operations team will continue to monitor the disclosure and its related issue dubbed CVE-2014-7169 and take appropriate mitigation steps as they become available.

We urge our customers to mitigate this vulnerability by upgrading their bash installs.  Customers deploying services exploitable by the vulnerability without authentication such as Apache’s mod_cgi or dhcpd are suggested to upgrade their affected systems immediately.

This is an overview of the vulnerability, according to US-CERT/NIST:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

One test that has emerged in the research around this disclosure can be executed from a bash session of an affected host by executing the following:

If this command contains “vulnerable” in its return, the host is likely affected and should be upgraded.

For more information about this vulnerability, determining whether you are vulnerable, and to get started mitigating it, please visit the following resources:

• NIST security notice: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
• RedHat security notice: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
• Plain language breakdown by Troy Hunt: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

As always, for any questions or concerns regarding this vulnerability, please reach out to help@twilio.com.