Shellshock Bash bug impacts Linux, Unix and Mac systems (and hackers are already exploiting it)

September 25, 2014

shellshock bash bugA serious flaw has been found in a software component known as Bash (Bourne Again Shell), which is a part of many Linux / Unix systems as well as Apple’s Mac operating system.

The bug, dubbed Shellshock, can potentially be used to remotely take control of almost any system using Bash, researchers said. The bug, which has gone undetected in the software for at least 22 years, was just disclosed yesterday 24-Sep-2014.

According to Securelist.com … “it is an extremely powerful vulnerability due to its high impact and the ease with which it can be exploited. Basically it lies in the bash shell interpreter and allows an attacker to append system level commands to the bash environment variables, but not every system is vulnerable since certain conditions must be met. … The impact is incredibly high because there are a lot of embedded devices that use CGI scripts – for example routers, home appliances and wireless access points. They are also vulnerable and, in many cases, difficult to patch.”

Chris Griffith, Senior Technology Journalist @ The Australian writes… “The security hole poses an enormous threat to everything from computers to sewerage treatment plants, pump networks, to web servers, traffic lights, airport lights, SCADA systems and even Apple Mac computers. That’s because the hole has been found in a piece of code that’s fundamental to the running of machines across the internet, along with network infrastructure such as routers, switches, and phone exchanges. It opens the door for hackers to obtain access to computers and other systems through a web browser. From there they can infiltrate and play havoc with machines as well as the corporate computer networks they are part of. …”

According to Trend Micro … “LINUX powers over half the servers on the Internet, Android phones, and the majority of devices in the Internet of Things (IoT) so the reach of this is very broad. Also, because Bitcoin Core is controlled by BASH, this vulnerability can impact Bitcoin miners and other Bitcoin related systems, making them potentially a very attractive target to attackers.”

Shellshock rates 10 out of 10 on the scale of vulnerabilities. For perspective, Heartbleed rated an 11 but that bug required more work to exploit holes, whereas Shellshock opens the way for hackers to add and manipulate code or data into “shell” commands.

Several exploits have already been identified in the wild (read herehere and here) and some experts are concerned this bug is “clearly wormable” and may get much worse in the coming months.

But not all security experts agree this is “Heartbleed 2.0”. Brad Chacos writes in PCWorld … “Jen Ellis of security firm Rapid7 says the Shellshock bug’s outlook isn’t quite as grim, even if it is rampant. Ellis writes, ‘The conclusion we reached is that some factors are worse, but the overall picture is less dire… there are a number of factors that need to be in play for a target to be susceptible to attack. Every affected application may be exploitable through a slightly different vector or have different requirements to reach the vulnerable code. This may significantly limit how widespread attacks will be in the wild.’ …”

No one really knows for sure how bad things could get with Shellshock, but one thing everyone agrees on is system administrators and developers need to patch this Bash bug asap.

PATCH AVAILABLE

There are patches available through the links below and realize there will most likely be a series of patches going forward.

US-CERT recommends administrators and users review CVE-2014-7169 in the National Vulnerability Database as well as the Redhat Security Blog for additional details and to refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch. As of 24-Sep-2014 GNU Bash patch is also available for experienced users and administrators to implement on all current versions of Bash, from 3.0 to 4.3.

Some security researchers warn that the patches are “incomplete” and would not fully secure systems. Of particular concern to security experts is the simplicity of carrying out attacks that make use of the bug. Read more at RedHat.com

WHAT CAN I DO?

As Mashable explains… “Unlike Heartbleed, which forced users to change their passwords for various Internet services, Shellshock doesn’t appear to have any easy solutions for average users right now. In most cases, it will be up to system administrators and software companies to issue patches.”

Kaspersky Labs’ Global Research & Analysis Team has great Q&A about the “Bash” vulnerability with an easy test on how to check if your system is vulnerable on Securelist.com. There is some geek-speak throughout the Q&A but it could be helpful to some techie users and programmers.

The patching process for Apple users is described over at StackExchange,  but be warned – according to Mashable, it requires a certain level of command line-level knowledge to be applied.

For general home users worried about security, watch for updates (esp. OS X and Android users) and pay attention to updates from Internet providers and manufacturers – particularly for hardware such as broadband routers. Also be wary of emails requesting information or instructing you to click links or run software to “fix” this bug.

Unfortunately this situation is only starting to manifest and metastasize and, as Kaspersky Lab chief executive Eugene Kasperksy said, “the internet should expect a lot of exploits and hacked websites to be disclosed in coming weeks.”

MORE INFORMATION

Some helpful sites and articles with fixes, explanations about various vulnerabilities and more are…

Red Hat’s Security Blog

Red Hat’s original post about vulnerability

“Bash” (CVE-2014-6271) vulnerability – Q&A by Kaspersky Labs’ Global Research & Analysis Team

U.S. Computer Emergency Readiness Team

Everything you need to know about the Shellshock Bash bug by Troy Hunt via TroyHunt.com

What you need to know about Shellshock, aka the “Bash Bug” by Mark Nunnikhoven @ Trend Micro

Bash Vulnerability – Shell Shock – Thousands of cPanel Sites are High Risk by Daniel Cid @ Sucuri Security blog

Shellshock DHCP RCE Proof of Concept by TrustedSec.com

Major Bash Vulnerability Affects Linux, Unix, Mac OS X by Michael Mimoso @ ThreatPost

Worse than Heartbleed? by Jim Reavis @ Cloud Security Alliance

Shellshock: The ‘Bash Bug’ That Could Be Worse Than Heartbleed by Stan Schroeder @ Mashable

Why You Could Be At Risk From Shellshock, A New Security Flaw Found In Linux by James Lyne @ Forbes

Unix/Linux Bash: Critical security hole uncovered by Steven J Vaughan-Nichols @ ZDNet

Shellshock: ‘Deadly serious’ new vulnerability found by Dave Lee @ BBC

Bash bug fallout: Shell Shocked yet? You will be … when this becomes a worm by Darren Pauli @ The Register

‘Bigger than Heartbleed’ Shellshock flaw leaves OS X, Linux, more open to attack by Brad Chacos on PCWorld

Advertisements

Heartbleed (what it is, how to protect yourself + tips about passwords)

April 11, 2014

Heartbleed logo by Leena Snidate Codenomicon Ltd A recently discovered encryption flaw in OpenSSL — a software used by many popular social networking websites, search engines, banks, and online shopping sites to keep personal and financial data secure — has potentially exposed a majority of the internet. Not all secure sites use OpenSSL (a secure site typically has an “https://” prefix and a little padlock in the address line), but about 66% of websites do … so it’s a big deal.

The bug is called Heartbleed because it piggybacks on a feature called heartbeat and it affects specific versions of the widely-used OpenSSL cryptographic library. Basically an error that was missed over two years ago in the open OpenSSL encryption protocol allows a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys which may allow an attacker to decrypt traffic or perform other attacks.

In other words, if someone knew this bug existed, they could intercept usernames, passwords, credit card details, and other sensitive information from a website’s server in plain text. It also allowed for a server’s private encryption keys to be stolen. Once stolen, these keys can be used by criminals to decrypt data sent between a website’s server and a user of that website. And, since it leaves no trace, system administrators would have no clue they were breached.

Renowned security expert Bruce Schneier said of Heartbleed, “On a scale of 1 to 10, it is an 11.”

What kinds of devices are impacted..?

MIT Technology Review explains the Heartbleed flaw could live on for years in devices like networking hardware, home automation systems, and even critical industrial-control systems, because they are infrequently updated.

Cable boxes and home Internet routers are just two of the major classes of devices likely to be affected, says Philip Lieberman, president security company Lieberman Software. “ISPs now have millions of these devices with this bug in them,” he says. The same issue likely affects many companies, because plenty of enterprise-grade network hardware and industrial and business automation system also rely on OpenSSL, and those devices are also rarely updated.

Large-scale scans of Internet addresses have previously uncovered hundreds of thousands of devices — ranging from IT equipment to traffic control systems — that are improperly configured or have not been updated to patch known flaws. (See MIT’s 2013 article called “What happened when one man pinged the whole Internet” [i.e. 3.7 billion IP addresses] for some disturbing findings about these types of devices.) 

So what does this mean to me..?

If you are a business, a developer or system administrator … upgrading to OpenSSL version 1.0.1g resolves this vulnerability, but realize SSL digital certificates are compromised too so they must be recertified. US-CERT recommends administrators and users review Vulnerability Note VU#720951 for additional information and mitigation details. There is also a way to disable the heartbeat handshake command (although it is best to upgrade) – visit http://heartbleed.com to learn more. Also … once your system is upgraded and recertified, businesses and site owners should notify all users the site is secure and encourage everyone to change their passwords as quickly as possible.

For everyone else … there’s not much we can do other than avoid the Internet (okay … so that’s not realistic) … but you can be proactive and verify all the sites you have accounts with are fixed and get ready to change passwords as explained below. As ZDNet writes… if your bank, favorite online merchant, email, cloud and/or software provider hasn’t fixed Heartbleed yet [or advised that their site didn’t use the buggy version], close your accounts and find new service providers.

What can I do to protect myself..?

Realize some sites don’t even use OpenSSL, others didn’t update to the 2012 version of SSL so they aren’t vulnerable, and many others have patched the Heartbleed flaw once it became known on April 7, 2014. And hopefully any and all websites impacted by this vulnerability notify users once their systems are updated and recertified and recommend everyone log on and change your passwords.

Yes, it is a pain and will be time-consuming, but you should get in the habit of changing passwords every few months anyway.

And realize there will be some scumbags who will take advantage of this Heartbleed scare so be on the lookout for phishing emails requesting you click a link to change your password. The best way to ensure the security and integrity of any of your accounts is to go directly to each website and log in there to manage your secure data.

Mashable has compiled a Heartbleed Hit List of sites possibly affected by this flaw and advises if you should change your password on sites like Facebook, Instagram, Tumbler, Google, Yahoo mail and more.

heartbleed ssllabsIf you’re not sure if a site you use is vulnerable, visit https://www.ssllabs.com/ssltest/ to perform an analysis of the configuration of any SSL web server on the public Internet. (If everything’s green, it has probably been fixed.) Another tool you can use to check sites is http://filippo.io/Heartbleed/.

Also, if you use Chrome as your browser, they just released an app called Chromebleed that will test a site before you visit it and display a message if it’s affected by Heartbleed. (Note: Some early reviews weren’t so good so read description and reviews before installing.) But keep in mind these tools are just resources and may not be totally reliable.

heartbleed-cap one not vulnerableThe best solution is to visit each and every site you use that has sensitive information (e.g. banking, email, social media, etc.) to find out if they have posted a public statement or link about the Heartbleed issue — or maybe they weren’t even impacted or vulnerable — but hopefully they’ll say something online or in a newsletter.

If they don’t mention anything about Heartbleed, call, chat or email to ask if they had a problem with it. And if a site was fixed … you should change your password.

Many experts suggest the best thing to do is change all your passwords now. BUT… realize you may have to change some of them again since there may be some websites that are still buggy meaning the secure data is still vulnerable.

It’s totally your call, but it is wise to change your passwords often anyway … and you really should change them on any and all sites that have been patched.

Tips about passwords

  • DO NOT use the same password for all your accounts! And make sure all your email accounts have unique passwords since hackers with access to your email can visit other web sites (e.g. banks, Paypal, email providers, etc.) and submit a “forgot my password” request and intercept the email with the reset password.
  • Create long passwords (at least 8 characters long) using a combination of letters, numbers and special characters … change them often … and don’t share them with others. Consider using numbers or special characters in place of letters if using words, acronyms or phrases. For example, instead of using “ilovesunnydays” as a password, you could use “1loVe$unnyd@ys” to strengthen it.
  • Pet and family names are not good to use since hackers or criminals may have access to your personal data and/or your posts on Twitter, Instagram, Facebook, etc.
  • Don’t use the “remember my password” option on accounts that contain sensitive data (like credit card data, etc.) since 1) typing them every time can help you remember passwords … and 2) if your PC or handheld device got stolen the perp could potentially access your accounts.
  • Some people invest in password manager services and apps, such as LastPass, KeePass, PasswordBox and 1Password, which keep track of passwords and suggest especially strong ones. However, some security experts warn against creating a single point of potential failure with all your passwords, especially if the service stores your passwords in the cloud. PCMag has some tips on various password managers.

Also…

  • Make sure computers and all wireless devices have current anti-virus software and firewalls, schedule them to scan daily or weekly, and update virus patterns often. If you own or manage a business, encourage employees to protect their personal home devices too.
  • Set security preferences as high as possible on Internet browsers and anti-virus packages.
  • Although it is best to not open emails or attachments from unknown sources, that’s not always feasible – especially in the business world. But consider saving the attached files into a temporary directory and scan them before opening.
  • See more tips about protecting your devices from cyber threats in our October 2013 enews

For more information about Heartbleed:

Heartbleed.com (official site with data + tips for developers and general public)

OpenSSL Project (OpenSSL community with updates, source code, etc.)

US-CERT OpenSSL ‘Heartbleed’ Vulnerability

Heartbleed: What you should know (WaPo article by Gail Sullivan)

What you need to know about the Heartbleed bug (Good Q & A)

How Heartbleed Works (Good PC Mag SecurityWatch article)

Stay safe (and secure) out there!  j & B


%d bloggers like this: