Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:20 PM
Connect Directly

'Shellshock' Bash Bug Impacts Basically Everything, Exploits Appear In Wild

CGI-based web servers are the biggest target, but other web servers, hosting services, embedded systems, Mac OSX, and IoT endpoints are all at risk.

"Shellshock," the critical remote command execution Bash bug disclosed yesterday, is now being exploited in the wild. Some affected software companies have released patches (which only partially fix the problem), but many others have not -- which is troubling, because Shellshock can be found all over the place.

Trend Micro describes this vulnerability as "plague-like," dwarfing Heartbleed, and hitting "approximately a half-billion Web servers and other Internet-connected devices." Shellshock gives attackers command access to Linux- and UNIX-based systems that use Bash. Therefore, industry experts say, there are a huge number of potential attack vectors -- Mac OSX devices, Android devices, OpenBSD, DHCP clients, SSH servers, web servers using CGI or Apache (including hosting servers), home routers, Bitcoin Core, and embedded systems in other Internet of Things objects like medical devices, digital cameras, and televisions.

How it works
Bash is a local shell that Linux- and UNIX-based systems use to set up environmental variables that can contain code, which gets executed as soon as the shell is invoked. Though Bash is local, the Shellshock vulnerability "allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird mime types for example," Jim Reavis of the Cloud Security Alliance wrote yesterday.

Daniel Ingevaldson, CTO of Easy Solutions, explains it this way: "This bug is not a remote 'code execution' vulnerability [in which] tricks are required to actually do something interesting. It's a remote 'command execution' vulnerability that may allow remote attackers to simply run commands on the remote system."

Exploits in the wild
Proof-of-concept exploits released yesterday showed that only one simple line of code was needed to take advantage of Shellshock.

Since then, exploits have appeared in the wild.

"We already noticed attacks against web servers earlier today, and they are very easy to implement and carry," says a representative from BitDefender. "The typical attack scenario involves an automated tool that tries to access CGI scripts and pass the environment variable as User-Agent," a string that tells the web server what type of browser is being used, so the server will know how to format data before sending it.

Because Bash is used so broadly, Shellshock exploits can be used to worm their way through a complex computing environment, and it could be used to create botnets. Using a honeypot, researchers at AlienVault have already seen evidence of this.

"The majority of [the attackers] are only probing to check if systems are vulnerable," says Jaime Blasco, labs director at AlienVault. "On the other hand, we found two worms that are actively exploiting the vulnerability and installing a piece of malware on the system. This malware turns the systems into bots that connect to a C&C server where the attackers can send commands, and we have seen the main purpose of the bots is to perform distributed denial of service attacks."

Ronnie Tokazowski of PhishMe wrote today:

    With the number of Internet-facing devices vulnerable to this, it would be very easy for an attacker to turn this into a worm, and bore itself past external gateways into homes. When was the last time you patched your TV? And with the current scan of the entire Internet going on, an attacker could easily turn this into a fork bomb, hogging CPU resources, and crashing systems around the globe.

Darien Kindlund, director of threat research at FireEye, called out the targeted attack possibilities of the bug. "Advanced attackers can leverage [a compromised] website in further strategic web compromises like watering hole attacks against website visitors," he says. "This is precisely how many targeted attacks occur with an exceptionally high degree of success."

Kindlund made further comments about Shellshock in a blog post, stating flatly: "This bug is horrible."

Worse than Heartbleed?
Kindlund maintains that Shellshock is worse than Heartbleed, because it "affects servers that help manage huge volumes of Internet traffic. Conservatively, the impact is anywhere from 20 to 50% of global servers supporting web pages."

Secunia says that Heartbleed "'only' enabled hackers to extract information." However, "Bash enables hackers to execute commands to take over your servers and systems."

Ingevaldson believes large hosting providers might be the most prominent target. "No crashes, no complexity, easy to test, easy to exploit," he says. "On the CVSS scale it's all 10s across the board. High impact, easy to exploit, no authentication required, low access complexity. Ouch."

Reavis advised yesterday:

    To test if your system is vulnerable just try this on bash:

    env x='() { :;}; echo vulnerable' bash -c
    "echo this is a test"

    If you're vulnerable it'll print:

    this is a test

    If you've updated Bash you'll only see

    this is a test

Many Linux distributions, including RedHat, Ubuntu, and Arch, have provided patches for Shellshock, but so far there are no patches available for Mac OSX and Android. Regardless, the efficacy of the patches could be limited, since many of the Linux distros are embedded in IoT devices that users rarely update.

To remediate from Shellshock, security experts advise:

  • Upgrade to the latest versions of Bash. Some are listed here.
  • Tatu Ylönen, inventor of SSH and CEO of SSH Communications Security, says, "An immediate workaround is to use the AcceptEnv command option in /etc/sshd_config to reject any environment variables from the client (typically just delete the AcceptEnv line from the default configuration file)."
  • Watch for forthcoming patches.
  • Consider disabling Bash until patches are available.
  • Consider redoing your scripts that call to Bash until a patch is available.
  • Temporarily switch the default shell on desktops running Bash.
  • Use intrusion prevention systems and/or network-based heuristic monitoring to keep tabs on.

More information is available in US-CERT's advisory.

Not what it was designed for
Shellshock is another example of how resourceful developers pushed something far past what it was meant to do -- and ended up creating security holes they had never foreseen.

"I suspect that many of the Internet of Things, or Internet of Everything, devices that have been distributed have Linux roots," says Alan Dundas, vice president and product architect for Authentify. "How will the small CPU in your thermostat prevent malware introduced via a Bash flaw from sniffing around whatever else is connected to it? It probably wasn't designed to have that capability. Therein lies the fatal error of connecting lots of simple items into a complex network without thoroughly evaluating what could go wrong."

"This is potentially worse than Heartbleed," says Dundas, "because many things Linux is embedded in were never intended to be patched."

Like Heartbleed, Shellshock is a vulnerability in open-source software.

"I see this as a failure in the mindset of the open-source community where everyone waits for everyone else to do something or find something," says Chris Stoneff, director of professional services for Lieberman Software. "One of the interesting things happening with so much bashing of closed-source projects like Microsoft and the embrace of more open software like Linux and OSX is how much visibility Linux and OSX have gained in recent years to would-be attackers. It has shone a light on one of the biggest lies perpetrated on people: We are not vulnerable because we don't use Microsoft. Well, the proof is now here, and it's time for Linux and OSX and UNIX to take some heat."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Dan Euritt
Dan Euritt,
User Rank: Apprentice
9/26/2014 | 7:56:13 PM
Re: The many eyes of open source missed this one
This sort of thing makes me glad that I went through the Windows server hassles, instead of using Linux.

Thanks Dark Reading for a great article.
User Rank: Strategist
9/26/2014 | 10:12:02 AM
Re: The many eyes of open source missed this one
too many cooks spoil the broth
User Rank: Apprentice
9/26/2014 | 10:08:12 AM
Re: The many eyes of open source missed this one
one thing the open source/free software community doesn't deal well with is the fact that just because you have access to the source code doesn't mean you can do anything with it.

User Rank: Ninja
9/26/2014 | 9:06:18 AM
Re: The many eyes of open source missed this one
This is very alarming. My team is trying to see if we can use our vulnerability scanner to weed out this instance within our environment. With the internet of things, this will be a daunting task because we are not entirely certain what is leveraging these bash versions.

Has anyone definitively planned an inititivate to efficiently pull this data and mitigate effectively? If so, what steps are you taking? (At a high level, doesn't need to be granular)
User Rank: Ninja
9/26/2014 | 8:32:26 AM
SCADA systems might have a big problem here.
Although I do not maintain any SCADA systems, it occured to me last night as I patched my server environments that the Shellshock bug may have substantial impact on SCADA relevant systems.  I'm sure a SCADA security or administration expert would have more info in this regard.  I hope I am wrong in this assumption, but I get the sense otherwise.
Charlie Babcock
Charlie Babcock,
User Rank: Ninja
9/25/2014 | 11:09:05 PM
The many eyes of open source missed this one
This is a serious bug that apparantly has been around almost as long as Bash itself, since version 1.3 or 22 years. Whew. It's one that has eluded the rule that "the many eyes of open source code inspecition" will find all bugs.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-28
An Arbitrary File Upload in the Upload Image component in SourceCodester Car Rental Management System 1.0 allows the user to conduct remote code execution via admin/index.php?page=manage_car because .php files can be uploaded to admin/assets/uploads/ (under the web root).
PUBLISHED: 2020-10-28
The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension.
PUBLISHED: 2020-10-27
The search functionality of the Greenmart theme 2.4.2 for WordPress is vulnerable to XSS.
PUBLISHED: 2020-10-27
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Apple Music 3.4.0 for Android. A malicious application may be able to leak a user's credentials.
PUBLISHED: 2020-10-27
An access issue was addressed with improved access restrictions. This issue is fixed in macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. A malicious application may be able to overwrite arbitrary files.