Attacks/Breaches
9/25/2014
05:20 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'Shellshock' Bash Bug Impacts Basically Everything, Exploits Appear In Wild

CGI-based web servers are the biggest target, but other web servers, hosting services, embedded systems, Mac OSX, and IoT endpoints are all at risk.

"Shellshock," the critical remote command execution Bash bug disclosed yesterday, is now being exploited in the wild. Some affected software companies have released patches (which only partially fix the problem), but many others have not -- which is troubling, because Shellshock can be found all over the place.

Trend Micro describes this vulnerability as "plague-like," dwarfing Heartbleed, and hitting "approximately a half-billion Web servers and other Internet-connected devices." Shellshock gives attackers command access to Linux- and UNIX-based systems that use Bash. Therefore, industry experts say, there are a huge number of potential attack vectors -- Mac OSX devices, Android devices, OpenBSD, DHCP clients, SSH servers, web servers using CGI or Apache (including hosting servers), home routers, Bitcoin Core, and embedded systems in other Internet of Things objects like medical devices, digital cameras, and televisions.

How it works
Bash is a local shell that Linux- and UNIX-based systems use to set up environmental variables that can contain code, which gets executed as soon as the shell is invoked. Though Bash is local, the Shellshock vulnerability "allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird mime types for example," Jim Reavis of the Cloud Security Alliance wrote yesterday.

Daniel Ingevaldson, CTO of Easy Solutions, explains it this way: "This bug is not a remote 'code execution' vulnerability [in which] tricks are required to actually do something interesting. It's a remote 'command execution' vulnerability that may allow remote attackers to simply run commands on the remote system."

Exploits in the wild
Proof-of-concept exploits released yesterday showed that only one simple line of code was needed to take advantage of Shellshock.

Since then, exploits have appeared in the wild.

"We already noticed attacks against web servers earlier today, and they are very easy to implement and carry," says a representative from BitDefender. "The typical attack scenario involves an automated tool that tries to access CGI scripts and pass the environment variable as User-Agent," a string that tells the web server what type of browser is being used, so the server will know how to format data before sending it.

Because Bash is used so broadly, Shellshock exploits can be used to worm their way through a complex computing environment, and it could be used to create botnets. Using a honeypot, researchers at AlienVault have already seen evidence of this.

"The majority of [the attackers] are only probing to check if systems are vulnerable," says Jaime Blasco, labs director at AlienVault. "On the other hand, we found two worms that are actively exploiting the vulnerability and installing a piece of malware on the system. This malware turns the systems into bots that connect to a C&C server where the attackers can send commands, and we have seen the main purpose of the bots is to perform distributed denial of service attacks."

Ronnie Tokazowski of PhishMe wrote today:

    With the number of Internet-facing devices vulnerable to this, it would be very easy for an attacker to turn this into a worm, and bore itself past external gateways into homes. When was the last time you patched your TV? And with the current scan of the entire Internet going on, an attacker could easily turn this into a fork bomb, hogging CPU resources, and crashing systems around the globe.

Darien Kindlund, director of threat research at FireEye, called out the targeted attack possibilities of the bug. "Advanced attackers can leverage [a compromised] website in further strategic web compromises like watering hole attacks against website visitors," he says. "This is precisely how many targeted attacks occur with an exceptionally high degree of success."

Kindlund made further comments about Shellshock in a blog post, stating flatly: "This bug is horrible."

Worse than Heartbleed?
Kindlund maintains that Shellshock is worse than Heartbleed, because it "affects servers that help manage huge volumes of Internet traffic. Conservatively, the impact is anywhere from 20 to 50% of global servers supporting web pages."

Secunia says that Heartbleed "'only' enabled hackers to extract information." However, "Bash enables hackers to execute commands to take over your servers and systems."

Ingevaldson believes large hosting providers might be the most prominent target. "No crashes, no complexity, easy to test, easy to exploit," he says. "On the CVSS scale it's all 10s across the board. High impact, easy to exploit, no authentication required, low access complexity. Ouch."

Remediation
Reavis advised yesterday:

    To test if your system is vulnerable just try this on bash:

    env x='() { :;}; echo vulnerable' bash -c
    "echo this is a test"

    If you're vulnerable it'll print:

    vulnerable
    this is a test

    If you've updated Bash you'll only see

    this is a test

Many Linux distributions, including RedHat, Ubuntu, and Arch, have provided patches for Shellshock, but so far there are no patches available for Mac OSX and Android. Regardless, the efficacy of the patches could be limited, since many of the Linux distros are embedded in IoT devices that users rarely update.

To remediate from Shellshock, security experts advise:

  • Upgrade to the latest versions of Bash. Some are listed here.
  • Tatu Ylönen, inventor of SSH and CEO of SSH Communications Security, says, "An immediate workaround is to use the AcceptEnv command option in /etc/sshd_config to reject any environment variables from the client (typically just delete the AcceptEnv line from the default configuration file)."
  • Watch for forthcoming patches.
  • Consider disabling Bash until patches are available.
  • Consider redoing your scripts that call to Bash until a patch is available.
  • Temporarily switch the default shell on desktops running Bash.
  • Use intrusion prevention systems and/or network-based heuristic monitoring to keep tabs on.

More information is available in US-CERT's advisory.

Not what it was designed for
Shellshock is another example of how resourceful developers pushed something far past what it was meant to do -- and ended up creating security holes they had never foreseen.

"I suspect that many of the Internet of Things, or Internet of Everything, devices that have been distributed have Linux roots," says Alan Dundas, vice president and product architect for Authentify. "How will the small CPU in your thermostat prevent malware introduced via a Bash flaw from sniffing around whatever else is connected to it? It probably wasn't designed to have that capability. Therein lies the fatal error of connecting lots of simple items into a complex network without thoroughly evaluating what could go wrong."

"This is potentially worse than Heartbleed," says Dundas, "because many things Linux is embedded in were never intended to be patched."

Like Heartbleed, Shellshock is a vulnerability in open-source software.

"I see this as a failure in the mindset of the open-source community where everyone waits for everyone else to do something or find something," says Chris Stoneff, director of professional services for Lieberman Software. "One of the interesting things happening with so much bashing of closed-source projects like Microsoft and the embrace of more open software like Linux and OSX is how much visibility Linux and OSX have gained in recent years to would-be attackers. It has shone a light on one of the biggest lies perpetrated on people: We are not vulnerable because we don't use Microsoft. Well, the proof is now here, and it's time for Linux and OSX and UNIX to take some heat."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dan Euritt
50%
50%
Dan Euritt,
User Rank: Apprentice
9/26/2014 | 7:56:13 PM
Re: The many eyes of open source missed this one
This sort of thing makes me glad that I went through the Windows server hassles, instead of using Linux.

Thanks Dark Reading for a great article.
prospecttoreza
50%
50%
prospecttoreza,
User Rank: Strategist
9/26/2014 | 10:12:02 AM
Re: The many eyes of open source missed this one
too many cooks spoil the broth
anon0898863719
50%
50%
anon0898863719,
User Rank: Apprentice
9/26/2014 | 10:08:12 AM
Re: The many eyes of open source missed this one
one thing the open source/free software community doesn't deal well with is the fact that just because you have access to the source code doesn't mean you can do anything with it.

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/26/2014 | 9:06:18 AM
Re: The many eyes of open source missed this one
This is very alarming. My team is trying to see if we can use our vulnerability scanner to weed out this instance within our environment. With the internet of things, this will be a daunting task because we are not entirely certain what is leveraging these bash versions.

Has anyone definitively planned an inititivate to efficiently pull this data and mitigate effectively? If so, what steps are you taking? (At a high level, doesn't need to be granular)
aws0513
50%
50%
aws0513,
User Rank: Ninja
9/26/2014 | 8:32:26 AM
SCADA systems might have a big problem here.
Although I do not maintain any SCADA systems, it occured to me last night as I patched my server environments that the Shellshock bug may have substantial impact on SCADA relevant systems.  I'm sure a SCADA security or administration expert would have more info in this regard.  I hope I am wrong in this assumption, but I get the sense otherwise.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
9/25/2014 | 11:09:05 PM
The many eyes of open source missed this one
This is a serious bug that apparantly has been around almost as long as Bash itself, since version 1.3 or 22 years. Whew. It's one that has eluded the rule that "the many eyes of open source code inspecition" will find all bugs.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.