Application Security

8/29/2017
08:16 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Shellshock Still in the Crosshairs

Spike in scans for the flaw spotted en masse in Q2.

Old bugs die hard: the three-year-old Shellshock vulnerability was the most commonly targeted security hole in the second quarter of 2017, according to security firm eSentire.

The GNU Bash Remote Code Execution flaw, aka Shellshock (CVE-2014-6271), accounted for 40% of the top eight flaws targeted in Q2, according to new data from eSentire gathered from some 1,500 of its network and host sensors installed in 600 customer sites.

Viktors Engelbrehts, director of threat intelligence at eSentire, says the exposed systems his firm spotted being probed for the flaw are mainly public-facing Web servers.

The critical flaw in Linux and Unix operating systems, as well as Mac OS X, was first discovered in September of 2014, and continues to be left unpatched in many organizations.

That makes it a lucrative target for attackers. Engelbrehts theorizes that the Shellshock-probing activity spotted by his firm likely is the handiwork of state-sponsored attackers gathering intel on vulnerable systems, given the automated, wide range of the scope of the scans.

"Those scanners are fingerprinting" systems on the Internet, he says of eSentire's findings. "Not all of these events necessarily lead to further incidents. But if these assets are vulnerable and the bad guys know about it, they can launch devastating attacks" on widespread systems, he says.

State-sponsored actors such as those out of China are among the types of threat actors conducting such scans for intel they could use in mass attacks, he says.

"We suspect it's mostly Linux, and some Mac [systems] affected," he says.

eSentire also spotted attackers scanning for servers with the Apache Struts CVE-2017-5638 remote code flaw, the Windows CVE-2012-0152 Remote Desktop Protocol bug, and the Windows RDP remote administration flaw (CVE-2001-0540).

Shellshock/Bash is a shell widely used in versions of Linux and Unix, and when exploited, it allows an attacker to run malicious code remotely on a targeted system.

Why does it remain unpatched in so many servers? "I suspect that a lot of organizations are applying compensating controls instead of mitigating the root cause," he says. They're beefing up IDS/IPS systems and blocking signatures, but leaving the hole unpatched, he says.

Shellshock is an especially popular flaw to target mainly because it's so easy to exploit, notes Theresa Payton, CEO of Fortalice Solutions. Payton says her firm mostly finds it unpatched in printers, appliances, and voice systems.

The decision not to patch a server typically has to do with downtime trumping risk. "Patches break things," Payton says, noting that that's why organizations with high uptime requirements sometimes shy away from applying some patches. "But patching strategically is vitally important. You shouldn't use the excuse that it will break things."

Even large organizations can be hit unawares by an attacker gathering intel. Payton's firm has seen this firsthand in penetration-test engagements: "You would be amazed at how many Fortune 100s where we were able to do a vulnerability scan undetected. Their radars didn't pick up that we were scanning their systems," she says.

eSentire's Engelbrehts, meanwhile, says the attackers behind the recent wave of mass Shellshock scans appear to have an automated infrastructure in place to search for these types of flaws en masse.

"It's indiscriminate," he says. "They are clearly using weaknesses as an information-gathering point at massive scale. What scares me most is the volume is really scary" and could be used to wage widespread attacks across multiple organizations and industries, according to Engelbrehts.

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-8298
PUBLISHED: 2018-09-24
Multiple SQL injection vulnerabilities in the login page in RXTEC RXAdmin UPDATE 06 / 2012 allow remote attackers to execute arbitrary SQL commands via the (1) loginpassword, (2) loginusername, (3) zusatzlicher, or (4) groupid parameter to index.htm, or the (5) rxtec cookie to index.htm.
CVE-2018-14825
PUBLISHED: 2018-09-24
A skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges. This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable...
CVE-2018-17437
PUBLISHED: 2018-09-24
Memory leak in the H5O_dtype_decode_helper() function in H5Odtype.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (memory consumption) via a crafted HDF5 file.
CVE-2018-17438
PUBLISHED: 2018-09-24
A SIGFPE signal is raised in the function H5D__select_io() of H5Dselect.c in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. It could allow a remote denial of service attack.
CVE-2018-17439
PUBLISHED: 2018-09-24
An issue was discovered in the HDF HDF5 1.10.3 library. There is a stack-based buffer overflow in the function H5S_extent_get_dims() in H5S.c. Specifically, this issue occurs while converting an HDF5 file to a GIF file.