Changing the command shell avoids the trouble

Sep 30, 2014 22:15 GMT  ·  By
Applying the Shellshock fix or changing to a different shell solves the problem
   Applying the Shellshock fix or changing to a different shell solves the problem

Servers that use the OpenVPN open-source software package for running connections through a virtual private network for security reasons can be abused by leveraging the Shellshock bug in Bash command-line tool for Linux.

OpenVPN basically allows the creation of a tunnel between the client and a secure server that intermediates the connection to the intended target. It relies on a custom security protocol using SSL/TLS for exchanging the encryption keys.

These servers can be compromised because the software includes configuration options that permit calling custom commands during the tunnel session.

Fredrik Strömberg, co-founder of Swedish VPN company Mullvad, says in a post that many of the commands called already have the variables set and in some cases they can be controlled by the client.

“One option used for username+password authentication is ‘auth-user-pass-verify’. If the called script uses a vulnerable shell, the client simply delivers the exploit and payload by setting the username,” he adds.

The researcher made the discovery last week and contacted the OpenVPN maintainers. Providers of VPN services using this package can avoid the Shellshock trouble by making sure that Bash is not used for running scripts.

Another way to guard against a possible compromise is to apply the existent patch for Bash. Florian Weimer created a fix for the issue, which appears to lock most of the doors for exploiting the 22-year-old glitch in Bash.

After the original Shellshock vulnerability, five others followed after attempts to provide a patch failed; the last two have not been publicly disclosed yet.