This morning, Stephane Chazelas disclosed a vulnerability in the program bash, the GNU Bourne-Again-Shell. This software is widely used, especially on Linux servers, such as the servers used to provide CloudFlare’s performance and security cloud services.
This vulnerability is a serious risk to Internet infrastructure, as it allows remote code execution in many common configurations, and the severity is heightened due to bash being in the default configuration of most Linux servers. While bash is not directly used by remote users, it is used internally by popular software packages such as web, mail, and administration servers. In the case of a web server, a specially formatted web request, when passed by the web server to the bash application, can cause the bash software to run commands on the server for the attacker. More technical information was posted on the oss-sec mailing list.
The security community has assigned this bash vulnerability the ID CVE-2014-6271.
As soon as we became aware of this vulnerability, CloudFlare’s engineering and operations teams tested a patch to protect our servers, and deployed it across our infrastructure. As of now, all CloudFlare servers are protected against CVE-2014-6271.
Everyone who is using the bash software package should upgrade as soon as possible; operating system vendors and linux distributions have released new versions today.
Additionally, CloudFlare has prepared Web Application Firewall (WAF) rules to protect customers who have not yet patched their own servers. This firewall rule is available to Pro, Business, and Enterprise customers. We have enabled this rule by default, so no WAF configuration is necessary.
UPDATE (Wed Sep 24 20:59:46 PDT 2014): At the current time, there are reports the initial bash patch deployed by most OS vendors does not fully mitigate the vulnerability. CloudFlare continues to watch the situation closely and will update both our own systems and customer-protecting WAF rules as more information becomes available. MITRE has assigned reports of additional vulnerablities CVE-2014-7169.
UPDATE (Fri Sep 26 05:08:00 EDT 2014): Over the past day, Linux distributions have released updated bash packages which address both CVE-2014-6271 and CVE-2014-7169. CloudFlare has installed these packages on all of our servers, and strongly encourages all customers to do the same. Our WAF rule remains in place, protecting Pro, Business, and Enterprise customers for web traffic going through CloudFlare.