Shellshock Bash bug impacts Linux, Unix and Mac systems (and hackers are already exploiting it)

September 25, 2014

shellshock bash bugA serious flaw has been found in a software component known as Bash (Bourne Again Shell), which is a part of many Linux / Unix systems as well as Apple’s Mac operating system.

The bug, dubbed Shellshock, can potentially be used to remotely take control of almost any system using Bash, researchers said. The bug, which has gone undetected in the software for at least 22 years, was just disclosed yesterday 24-Sep-2014.

According to Securelist.com … “it is an extremely powerful vulnerability due to its high impact and the ease with which it can be exploited. Basically it lies in the bash shell interpreter and allows an attacker to append system level commands to the bash environment variables, but not every system is vulnerable since certain conditions must be met. … The impact is incredibly high because there are a lot of embedded devices that use CGI scripts – for example routers, home appliances and wireless access points. They are also vulnerable and, in many cases, difficult to patch.”

Chris Griffith, Senior Technology Journalist @ The Australian writes… “The security hole poses an enormous threat to everything from computers to sewerage treatment plants, pump networks, to web servers, traffic lights, airport lights, SCADA systems and even Apple Mac computers. That’s because the hole has been found in a piece of code that’s fundamental to the running of machines across the internet, along with network infrastructure such as routers, switches, and phone exchanges. It opens the door for hackers to obtain access to computers and other systems through a web browser. From there they can infiltrate and play havoc with machines as well as the corporate computer networks they are part of. …”

According to Trend Micro … “LINUX powers over half the servers on the Internet, Android phones, and the majority of devices in the Internet of Things (IoT) so the reach of this is very broad. Also, because Bitcoin Core is controlled by BASH, this vulnerability can impact Bitcoin miners and other Bitcoin related systems, making them potentially a very attractive target to attackers.”

Shellshock rates 10 out of 10 on the scale of vulnerabilities. For perspective, Heartbleed rated an 11 but that bug required more work to exploit holes, whereas Shellshock opens the way for hackers to add and manipulate code or data into “shell” commands.

Several exploits have already been identified in the wild (read herehere and here) and some experts are concerned this bug is “clearly wormable” and may get much worse in the coming months.

But not all security experts agree this is “Heartbleed 2.0”. Brad Chacos writes in PCWorld … “Jen Ellis of security firm Rapid7 says the Shellshock bug’s outlook isn’t quite as grim, even if it is rampant. Ellis writes, ‘The conclusion we reached is that some factors are worse, but the overall picture is less dire… there are a number of factors that need to be in play for a target to be susceptible to attack. Every affected application may be exploitable through a slightly different vector or have different requirements to reach the vulnerable code. This may significantly limit how widespread attacks will be in the wild.’ …”

No one really knows for sure how bad things could get with Shellshock, but one thing everyone agrees on is system administrators and developers need to patch this Bash bug asap.

PATCH AVAILABLE

There are patches available through the links below and realize there will most likely be a series of patches going forward.

US-CERT recommends administrators and users review CVE-2014-7169 in the National Vulnerability Database as well as the Redhat Security Blog for additional details and to refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch. As of 24-Sep-2014 GNU Bash patch is also available for experienced users and administrators to implement on all current versions of Bash, from 3.0 to 4.3.

Some security researchers warn that the patches are “incomplete” and would not fully secure systems. Of particular concern to security experts is the simplicity of carrying out attacks that make use of the bug. Read more at RedHat.com

WHAT CAN I DO?

As Mashable explains… “Unlike Heartbleed, which forced users to change their passwords for various Internet services, Shellshock doesn’t appear to have any easy solutions for average users right now. In most cases, it will be up to system administrators and software companies to issue patches.”

Kaspersky Labs’ Global Research & Analysis Team has great Q&A about the “Bash” vulnerability with an easy test on how to check if your system is vulnerable on Securelist.com. There is some geek-speak throughout the Q&A but it could be helpful to some techie users and programmers.

The patching process for Apple users is described over at StackExchange,  but be warned – according to Mashable, it requires a certain level of command line-level knowledge to be applied.

For general home users worried about security, watch for updates (esp. OS X and Android users) and pay attention to updates from Internet providers and manufacturers – particularly for hardware such as broadband routers. Also be wary of emails requesting information or instructing you to click links or run software to “fix” this bug.

Unfortunately this situation is only starting to manifest and metastasize and, as Kaspersky Lab chief executive Eugene Kasperksy said, “the internet should expect a lot of exploits and hacked websites to be disclosed in coming weeks.”

MORE INFORMATION

Some helpful sites and articles with fixes, explanations about various vulnerabilities and more are…

Red Hat’s Security Blog

Red Hat’s original post about vulnerability

“Bash” (CVE-2014-6271) vulnerability – Q&A by Kaspersky Labs’ Global Research & Analysis Team

U.S. Computer Emergency Readiness Team

Everything you need to know about the Shellshock Bash bug by Troy Hunt via TroyHunt.com

What you need to know about Shellshock, aka the “Bash Bug” by Mark Nunnikhoven @ Trend Micro

Bash Vulnerability – Shell Shock – Thousands of cPanel Sites are High Risk by Daniel Cid @ Sucuri Security blog

Shellshock DHCP RCE Proof of Concept by TrustedSec.com

Major Bash Vulnerability Affects Linux, Unix, Mac OS X by Michael Mimoso @ ThreatPost

Worse than Heartbleed? by Jim Reavis @ Cloud Security Alliance

Shellshock: The ‘Bash Bug’ That Could Be Worse Than Heartbleed by Stan Schroeder @ Mashable

Why You Could Be At Risk From Shellshock, A New Security Flaw Found In Linux by James Lyne @ Forbes

Unix/Linux Bash: Critical security hole uncovered by Steven J Vaughan-Nichols @ ZDNet

Shellshock: ‘Deadly serious’ new vulnerability found by Dave Lee @ BBC

Bash bug fallout: Shell Shocked yet? You will be … when this becomes a worm by Darren Pauli @ The Register

‘Bigger than Heartbleed’ Shellshock flaw leaves OS X, Linux, more open to attack by Brad Chacos on PCWorld

Advertisements

Buzz buzz baby (first aid tips for insect bites and stings)

May 10, 2014

orange blossom beeWe see bees often here in Southern Arizona – especially when spring is in full bloom. But with bees come the chance of swarms and stings.

We primarily have Africanized bees… but, for the most part, they leave humans alone unless someone disturbs a hive or is in the wrong place at the wrong time.

A few years ago Bill and I were out in the front yard doing chores and heard — then saw — a swarm of bees coming down the middle of our street. The swarm then flew across our neighbor’s yard (across the street from us) so we figured it went into the wildlife corridor behind their home.

The next day we discovered the bees were hanging out in our neighbor’s mesquite tree so they called a bee removal team.

Before the team arrived Bill took this great pic of the bee mosh pit. And yes … the below bee ball is solid bees! Then the swarm flew away just before the removal team showed up.

bee ball

Since spring has sprung in many parts of the world, we wanted to share some basic first aid tips about insect bites & stings in general.

Things to watch for…

  • Stinger (Note: honeybees leave a stinger and venom sac)
  • Puncture or bite mark
  • Burning pain or Swelling
  • Allergic Reaction – Pain, itching, hives, redness or discoloration at site, trouble breathing, signs of shock (pale, cold, drowsy, etc.)
  • If a mosquito bite – watch for signs of West Nile Virus (most symptoms appear 2 to 15 days after being bitten)… Mild flu-like symptoms – fever, headache & body aches, Mild skin rash and swollen lymph glands, or Severe symptoms – severe headache, high fever, neck stiffness, confusion, shakes, coma, convulsions, muscle weakness, paralysis, meningitis or encephalitis

What to do…

  • Move quickly and calmly away from area if there is a swarm, hive or nest nearby.
  • If a bee sting, remove stinger(s) by scraping it away with credit card, knife or long fingernail. Don’t try to squeeze it out with your fingers or tweezers since this causes more venom to get in the victim.
  • Wash the wound with soap and water or rinse with hydrogen peroxide.
  • Cover with a bandage or clean cloth and apply ice pack or cold compress.
  • Watch for allergic reactions for a few days (see above).

To relieve pain from an insect bite or sting:

Activated charcoal – Make a paste using 2-3 capsules and a small amount of warm water. Dab paste on sting site and cover with gauze or plastic to keep it moist. This will help draw out venom so it collects on your skin. Note, powder makes a black mess but easily wiped off with a towel

Baking Soda – Make a paste of 3 parts baking soda + 1 part warm water and apply to the sting site for 15-20 minutes.

Clay mudpack – If in the wilderness, put a mudpack over injury and cover with bandage or cloth. The mudpack must be a mix of clay-containing soil since clay is the key element, but don’t use if any skin is cracked or broken.

Meat tenderizer – Mixing meat tenderizer (check ingredient list for “papain”) with warm water and applying to the sting will help break down insect venom. (Papain is a natural enzyme derived from papaya.)

Urine (Pee) – Another remedy useful in the wilderness sounds gross (but has a history of medical applications in a number of cultures) is urine (pee) which reduces the stinging pain. Unless you have a urinary tract infection, the pee will be sterile and at the least won’t do any harm.

Some other potential pain-relieving and anti-inflammatory remedies:

  • fresh aloe – break open a leaf or use 96-100% pure aloe gel
  • lemon juice – from a fresh lemon
  • vitamin E – oil from a bottle or break open a few gel capsules
  • store brands – if over-the-counter methods preferred, use calamine cream or lotion and aspirin or acetaminophen

Things to do to avoid mosquito bites …

  • Stay indoors at dawn, dusk, and early evenings when mosquitoes are most active.
  • Wear long-sleeved shirts and long pants when outdoors.
  • Spray clothing and exposed skin with repellent containing DEET (N,N-diethyl-meta-toluamide) – the higher % of DEET, the longer you’re protected from bites (6.65% lasts almost 2 hours; 20% lasts about 4 hours, etc.) Two other repellents are picaridin or oil of lemon eucalyptus.
  • Don’t put repellent on small children’s hands since it may irritate their mouths or eyes.
  • Get rid of “standing water” sources around yard and home since they are breeding grounds for skeeters.
  • The CDC says Vitamin B and “ultrasonic” devices are NOT effective in preventing mosquito bites!
  • Learn more about West Nile Virus

 

Above extracted from IT’S A DISASTER! …and what are YOU gonna do about it? A Disaster Preparedness, Prevention & Basic First Aid Manual by Bill & Janet Liebsch


%d bloggers like this: