01 Oct Shellshock: The Big Bad Bash Bug That is ‘Bigger Than Heartbleed’
Shellshock: The Big Bad Bash Bug
Early Wednesday morning, September 24th, an advisory was issued on Seclists.org. It divulged a ‘critical, remotely exploitable security vulnerability in bash [this week (discovered by Stéphane Chazelas)], related to the processing of environment variables.’ This vulnerability has been given the nickname Shellshock, due to its inherent ability to remotely execute attacks through running a “shell,” which is a command line where commands can be entered and executed. In this case, it is done by a remote attacker that hijacks the user’s command interface. When the bug was publicly disclosed, at least several hundred thousand Internet connected servers were readily vulnerable to exploitation.
Michael Lin, Security Research Engineer at FireEye, Inc states regarding Shellshock:
“The outcome of exploitation is very severe. It typically allows command injection, remotely, without authentication. Once a vector is found, arbitrary code execution is often trivially obtained. This bug has existed in the Bash code for over two decades. It is possible that various individuals could have discovered this bug on their own and kept it private. It is also possible that this bug has been used in the wild for malicious purposes prior to its public discovery. However it is equally possible that this bug was unknown to the world prior to its public discovery. The combination of the large number of vulnerable servers, accessibility of exploit tools and the severe outcome of successful exploitation, means that this vulnerability is extremely severe.” Reading this gave us here at SOS Support “Shellshock!”
Any device that connects to the internet and runs Bash is at risk, which includes door locks, security systems, light globes and the like. It also includes more common devices such as home routers, severs, ipads, personal devices and phones. Note that the attacker is (at least initially) limited to the privilege level of the user running the Bash instance. However, once an attacker has a foothold in your system, they have multiple options for escalating privileges and potentially gaining root access.
Devices running on Unix, Linux and OS X operating systems are currently at risk. Window users seem to be safe for the time being, but that can change when the full ramifications of this bug come to light. Attackers are working on exploiting this right now. It is an arms race between those scrambling to patch and those scrambling to attack. Already, we have seen that the first patch for Shellshock may not be completely effective. Likewise, Apple has also released incomplete patches to counteract the vulnerabilities.
While we have not begun to grasp the full depth of the Shellshock vulnerability, there are some steps we can take to protect ourselves as much as possible, the first being patch your systems. Obtain the latest patches from your vendor and be on the look out for re-issuing patches to fix previous patch weaknesses. Check your risk exposure. Red Hat has an excellent guide on how to determine if your system is unpatched and vulnerable. Keep all server and security products up to date with the latest releases. Dell SonicWALL Firewalls with Managed Services are not vulnerable, and SonicWALL released an IPS signature to help contain the exploit. Be very cautious of the servers and networks that your devices are connecting to. If possible, avoid connecting to unprotected networks.
The challenge with bugs of this nature is that it is still in the early stages; so, we will not be able to confidently determine the full scope of damage that can be dealt to consumers and businesses alike. Please be very wary and cautious of any emails requesting information or instructing you to run software. It is common for attackers to use phishing schemes to capitalize on consumer fear and panic.
Many changes and updates are likely to be released over the next several weeks. Check back for more! SOS Support – Your premier IT Support in Utah company.