A serious flaw has been found in a software component known as Bash (Bourne Again Shell), which is a part of many Linux / Unix systems as well as Apple’s Mac operating system.
The bug, dubbed Shellshock, can potentially be used to remotely take control of almost any system using Bash, researchers said. The bug, which has gone undetected in the software for at least 22 years, was just disclosed yesterday 24-Sep-2014.
According to Securelist.com … “it is an extremely powerful vulnerability due to its high impact and the ease with which it can be exploited. Basically it lies in the bash shell interpreter and allows an attacker to append system level commands to the bash environment variables, but not every system is vulnerable since certain conditions must be met. … The impact is incredibly high because there are a lot of embedded devices that use CGI scripts – for example routers, home appliances and wireless access points. They are also vulnerable and, in many cases, difficult to patch.”
Chris Griffith, Senior Technology Journalist @ The Australian writes… “The security hole poses an enormous threat to everything from computers to sewerage treatment plants, pump networks, to web servers, traffic lights, airport lights, SCADA systems and even Apple Mac computers. That’s because the hole has been found in a piece of code that’s fundamental to the running of machines across the internet, along with network infrastructure such as routers, switches, and phone exchanges. It opens the door for hackers to obtain access to computers and other systems through a web browser. From there they can infiltrate and play havoc with machines as well as the corporate computer networks they are part of. …”
According to Trend Micro … “LINUX powers over half the servers on the Internet, Android phones, and the majority of devices in the Internet of Things (IoT) so the reach of this is very broad. Also, because Bitcoin Core is controlled by BASH, this vulnerability can impact Bitcoin miners and other Bitcoin related systems, making them potentially a very attractive target to attackers.”
Shellshock rates 10 out of 10 on the scale of vulnerabilities. For perspective, Heartbleed rated an 11 but that bug required more work to exploit holes, whereas Shellshock opens the way for hackers to add and manipulate code or data into “shell” commands.
Several exploits have already been identified in the wild (read here, here and here) and some experts are concerned this bug is “clearly wormable” and may get much worse in the coming months.
But not all security experts agree this is “Heartbleed 2.0”. Brad Chacos writes in PCWorld … “Jen Ellis of security firm Rapid7 says the Shellshock bug’s outlook isn’t quite as grim, even if it is rampant. Ellis writes, ‘The conclusion we reached is that some factors are worse, but the overall picture is less dire… there are a number of factors that need to be in play for a target to be susceptible to attack. Every affected application may be exploitable through a slightly different vector or have different requirements to reach the vulnerable code. This may significantly limit how widespread attacks will be in the wild.’ …”
No one really knows for sure how bad things could get with Shellshock, but one thing everyone agrees on is system administrators and developers need to patch this Bash bug asap.
There are patches available through the links below and realize there will most likely be a series of patches going forward.
US-CERT recommends administrators and users review CVE-2014-7169 in the National Vulnerability Database as well as the Redhat Security Blog for additional details and to refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch. As of 24-Sep-2014 GNU Bash patch is also available for experienced users and administrators to implement on all current versions of Bash, from 3.0 to 4.3.
Some security researchers warn that the patches are “incomplete” and would not fully secure systems. Of particular concern to security experts is the simplicity of carrying out attacks that make use of the bug. Read more at RedHat.com
WHAT CAN I DO?
As Mashable explains… “Unlike Heartbleed, which forced users to change their passwords for various Internet services, Shellshock doesn’t appear to have any easy solutions for average users right now. In most cases, it will be up to system administrators and software companies to issue patches.”
Kaspersky Labs’ Global Research & Analysis Team has great Q&A about the “Bash” vulnerability with an easy test on how to check if your system is vulnerable on Securelist.com. There is some geek-speak throughout the Q&A but it could be helpful to some techie users and programmers.
The patching process for Apple users is described over at StackExchange, but be warned – according to Mashable, it requires a certain level of command line-level knowledge to be applied.
For general home users worried about security, watch for updates (esp. OS X and Android users) and pay attention to updates from Internet providers and manufacturers – particularly for hardware such as broadband routers. Also be wary of emails requesting information or instructing you to click links or run software to “fix” this bug.
Unfortunately this situation is only starting to manifest and metastasize and, as Kaspersky Lab chief executive Eugene Kasperksy said, “the internet should expect a lot of exploits and hacked websites to be disclosed in coming weeks.”
Some helpful sites and articles with fixes, explanations about various vulnerabilities and more are…
Red Hat’s original post about vulnerability
“Bash” (CVE-2014-6271) vulnerability – Q&A by Kaspersky Labs’ Global Research & Analysis Team
U.S. Computer Emergency Readiness Team
Everything you need to know about the Shellshock Bash bug by Troy Hunt via TroyHunt.com
What you need to know about Shellshock, aka the “Bash Bug” by Mark Nunnikhoven @ Trend Micro
Bash Vulnerability – Shell Shock – Thousands of cPanel Sites are High Risk by Daniel Cid @ Sucuri Security blog
Shellshock DHCP RCE Proof of Concept by TrustedSec.com
Major Bash Vulnerability Affects Linux, Unix, Mac OS X by Michael Mimoso @ ThreatPost
Worse than Heartbleed? by Jim Reavis @ Cloud Security Alliance
Shellshock: The ‘Bash Bug’ That Could Be Worse Than Heartbleed by Stan Schroeder @ Mashable
Why You Could Be At Risk From Shellshock, A New Security Flaw Found In Linux by James Lyne @ Forbes
Unix/Linux Bash: Critical security hole uncovered by Steven J Vaughan-Nichols @ ZDNet
Shellshock: ‘Deadly serious’ new vulnerability found by Dave Lee @ BBC
Bash bug fallout: Shell Shocked yet? You will be … when this becomes a worm by Darren Pauli @ The Register
‘Bigger than Heartbleed’ Shellshock flaw leaves OS X, Linux, more open to attack by Brad Chacos on PCWorld