05:20 PM
Connect Directly

'Shellshock' Bash Bug Impacts Basically Everything, Exploits Appear In Wild

CGI-based web servers are the biggest target, but other web servers, hosting services, embedded systems, Mac OSX, and IoT endpoints are all at risk.

"Shellshock," the critical remote command execution Bash bug disclosed yesterday, is now being exploited in the wild. Some affected software companies have released patches (which only partially fix the problem), but many others have not -- which is troubling, because Shellshock can be found all over the place.

Trend Micro describes this vulnerability as "plague-like," dwarfing Heartbleed, and hitting "approximately a half-billion Web servers and other Internet-connected devices." Shellshock gives attackers command access to Linux- and UNIX-based systems that use Bash. Therefore, industry experts say, there are a huge number of potential attack vectors -- Mac OSX devices, Android devices, OpenBSD, DHCP clients, SSH servers, web servers using CGI or Apache (including hosting servers), home routers, Bitcoin Core, and embedded systems in other Internet of Things objects like medical devices, digital cameras, and televisions.

How it works
Bash is a local shell that Linux- and UNIX-based systems use to set up environmental variables that can contain code, which gets executed as soon as the shell is invoked. Though Bash is local, the Shellshock vulnerability "allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird mime types for example," Jim Reavis of the Cloud Security Alliance wrote yesterday.

Daniel Ingevaldson, CTO of Easy Solutions, explains it this way: "This bug is not a remote 'code execution' vulnerability [in which] tricks are required to actually do something interesting. It's a remote 'command execution' vulnerability that may allow remote attackers to simply run commands on the remote system."

Exploits in the wild
Proof-of-concept exploits released yesterday showed that only one simple line of code was needed to take advantage of Shellshock.

Since then, exploits have appeared in the wild.

"We already noticed attacks against web servers earlier today, and they are very easy to implement and carry," says a representative from BitDefender. "The typical attack scenario involves an automated tool that tries to access CGI scripts and pass the environment variable as User-Agent," a string that tells the web server what type of browser is being used, so the server will know how to format data before sending it.

Because Bash is used so broadly, Shellshock exploits can be used to worm their way through a complex computing environment, and it could be used to create botnets. Using a honeypot, researchers at AlienVault have already seen evidence of this.

"The majority of [the attackers] are only probing to check if systems are vulnerable," says Jaime Blasco, labs director at AlienVault. "On the other hand, we found two worms that are actively exploiting the vulnerability and installing a piece of malware on the system. This malware turns the systems into bots that connect to a C&C server where the attackers can send commands, and we have seen the main purpose of the bots is to perform distributed denial of service attacks."

Ronnie Tokazowski of PhishMe wrote today:

    With the number of Internet-facing devices vulnerable to this, it would be very easy for an attacker to turn this into a worm, and bore itself past external gateways into homes. When was the last time you patched your TV? And with the current scan of the entire Internet going on, an attacker could easily turn this into a fork bomb, hogging CPU resources, and crashing systems around the globe.

Darien Kindlund, director of threat research at FireEye, called out the targeted attack possibilities of the bug. "Advanced attackers can leverage [a compromised] website in further strategic web compromises like watering hole attacks against website visitors," he says. "This is precisely how many targeted attacks occur with an exceptionally high degree of success."

Kindlund made further comments about Shellshock in a blog post, stating flatly: "This bug is horrible."

Worse than Heartbleed?
Kindlund maintains that Shellshock is worse than Heartbleed, because it "affects servers that help manage huge volumes of Internet traffic. Conservatively, the impact is anywhere from 20 to 50% of global servers supporting web pages."

Secunia says that Heartbleed "'only' enabled hackers to extract information." However, "Bash enables hackers to execute commands to take over your servers and systems."

Ingevaldson believes large hosting providers might be the most prominent target. "No crashes, no complexity, easy to test, easy to exploit," he says. "On the CVSS scale it's all 10s across the board. High impact, easy to exploit, no authentication required, low access complexity. Ouch."

Reavis advised yesterday:

    To test if your system is vulnerable just try this on bash:

    env x='() { :;}; echo vulnerable' bash -c
    "echo this is a test"

    If you're vulnerable it'll print:

    this is a test

    If you've updated Bash you'll only see

    this is a test

Many Linux distributions, including RedHat, Ubuntu, and Arch, have provided patches for Shellshock, but so far there are no patches available for Mac OSX and Android. Regardless, the efficacy of the patches could be limited, since many of the Linux distros are embedded in IoT devices that users rarely update.

To remediate from Shellshock, security experts advise:

  • Upgrade to the latest versions of Bash. Some are listed here.
  • Tatu Ylönen, inventor of SSH and CEO of SSH Communications Security, says, "An immediate workaround is to use the AcceptEnv command option in /etc/sshd_config to reject any environment variables from the client (typically just delete the AcceptEnv line from the default configuration file)."
  • Watch for forthcoming patches.
  • Consider disabling Bash until patches are available.
  • Consider redoing your scripts that call to Bash until a patch is available.
  • Temporarily switch the default shell on desktops running Bash.
  • Use intrusion prevention systems and/or network-based heuristic monitoring to keep tabs on.

More information is available in US-CERT's advisory.

Not what it was designed for
Shellshock is another example of how resourceful developers pushed something far past what it was meant to do -- and ended up creating security holes they had never foreseen.

"I suspect that many of the Internet of Things, or Internet of Everything, devices that have been distributed have Linux roots," says Alan Dundas, vice president and product architect for Authentify. "How will the small CPU in your thermostat prevent malware introduced via a Bash flaw from sniffing around whatever else is connected to it? It probably wasn't designed to have that capability. Therein lies the fatal error of connecting lots of simple items into a complex network without thoroughly evaluating what could go wrong."

"This is potentially worse than Heartbleed," says Dundas, "because many things Linux is embedded in were never intended to be patched."

Like Heartbleed, Shellshock is a vulnerability in open-source software.

"I see this as a failure in the mindset of the open-source community where everyone waits for everyone else to do something or find something," says Chris Stoneff, director of professional services for Lieberman Software. "One of the interesting things happening with so much bashing of closed-source projects like Microsoft and the embrace of more open software like Linux and OSX is how much visibility Linux and OSX have gained in recent years to would-be attackers. It has shone a light on one of the biggest lies perpetrated on people: We are not vulnerable because we don't use Microsoft. Well, the proof is now here, and it's time for Linux and OSX and UNIX to take some heat."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Dan Euritt
Dan Euritt,
User Rank: Apprentice
9/26/2014 | 7:56:13 PM
Re: The many eyes of open source missed this one
This sort of thing makes me glad that I went through the Windows server hassles, instead of using Linux.

Thanks Dark Reading for a great article.
User Rank: Strategist
9/26/2014 | 10:12:02 AM
Re: The many eyes of open source missed this one
too many cooks spoil the broth
User Rank: Apprentice
9/26/2014 | 10:08:12 AM
Re: The many eyes of open source missed this one
one thing the open source/free software community doesn't deal well with is the fact that just because you have access to the source code doesn't mean you can do anything with it.

User Rank: Ninja
9/26/2014 | 9:06:18 AM
Re: The many eyes of open source missed this one
This is very alarming. My team is trying to see if we can use our vulnerability scanner to weed out this instance within our environment. With the internet of things, this will be a daunting task because we are not entirely certain what is leveraging these bash versions.

Has anyone definitively planned an inititivate to efficiently pull this data and mitigate effectively? If so, what steps are you taking? (At a high level, doesn't need to be granular)
User Rank: Ninja
9/26/2014 | 8:32:26 AM
SCADA systems might have a big problem here.
Although I do not maintain any SCADA systems, it occured to me last night as I patched my server environments that the Shellshock bug may have substantial impact on SCADA relevant systems.  I'm sure a SCADA security or administration expert would have more info in this regard.  I hope I am wrong in this assumption, but I get the sense otherwise.
Charlie Babcock
Charlie Babcock,
User Rank: Ninja
9/25/2014 | 11:09:05 PM
The many eyes of open source missed this one
This is a serious bug that apparantly has been around almost as long as Bash itself, since version 1.3 or 22 years. Whew. It's one that has eluded the rule that "the many eyes of open source code inspecition" will find all bugs.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-22
IBM Content Navigator 3.0CD could allow attackers to direct web traffic to a malicious site. If attackers make a fake IBM Content Navigator site, they can send a link to ICN users to send request to their Edit client directly. Then Edit client will download documents from the fake ICN website. IBM X...
PUBLISHED: 2019-03-22
IBM API Connect 2018.1 and 2018.4.1.2 apis can be leveraged by unauthenticated users to discover login ids of registered users. IBM X-Force ID: 156544.
PUBLISHED: 2019-03-22
An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. A directory traversal vulnerability exists using the SIZE command along with a \..\..\ substring, allowing an attacker to enumerate file existence based on the returned information.
PUBLISHED: 2019-03-22
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
PUBLISHED: 2019-03-22
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.