Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/25/2014
05:20 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'Shellshock' Bash Bug Impacts Basically Everything, Exploits Appear In Wild

CGI-based web servers are the biggest target, but other web servers, hosting services, embedded systems, Mac OSX, and IoT endpoints are all at risk.

"Shellshock," the critical remote command execution Bash bug disclosed yesterday, is now being exploited in the wild. Some affected software companies have released patches (which only partially fix the problem), but many others have not -- which is troubling, because Shellshock can be found all over the place.

Trend Micro describes this vulnerability as "plague-like," dwarfing Heartbleed, and hitting "approximately a half-billion Web servers and other Internet-connected devices." Shellshock gives attackers command access to Linux- and UNIX-based systems that use Bash. Therefore, industry experts say, there are a huge number of potential attack vectors -- Mac OSX devices, Android devices, OpenBSD, DHCP clients, SSH servers, web servers using CGI or Apache (including hosting servers), home routers, Bitcoin Core, and embedded systems in other Internet of Things objects like medical devices, digital cameras, and televisions.

How it works
Bash is a local shell that Linux- and UNIX-based systems use to set up environmental variables that can contain code, which gets executed as soon as the shell is invoked. Though Bash is local, the Shellshock vulnerability "allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird mime types for example," Jim Reavis of the Cloud Security Alliance wrote yesterday.

Daniel Ingevaldson, CTO of Easy Solutions, explains it this way: "This bug is not a remote 'code execution' vulnerability [in which] tricks are required to actually do something interesting. It's a remote 'command execution' vulnerability that may allow remote attackers to simply run commands on the remote system."

Exploits in the wild
Proof-of-concept exploits released yesterday showed that only one simple line of code was needed to take advantage of Shellshock.

Since then, exploits have appeared in the wild.

"We already noticed attacks against web servers earlier today, and they are very easy to implement and carry," says a representative from BitDefender. "The typical attack scenario involves an automated tool that tries to access CGI scripts and pass the environment variable as User-Agent," a string that tells the web server what type of browser is being used, so the server will know how to format data before sending it.

Because Bash is used so broadly, Shellshock exploits can be used to worm their way through a complex computing environment, and it could be used to create botnets. Using a honeypot, researchers at AlienVault have already seen evidence of this.

"The majority of [the attackers] are only probing to check if systems are vulnerable," says Jaime Blasco, labs director at AlienVault. "On the other hand, we found two worms that are actively exploiting the vulnerability and installing a piece of malware on the system. This malware turns the systems into bots that connect to a C&C server where the attackers can send commands, and we have seen the main purpose of the bots is to perform distributed denial of service attacks."

Ronnie Tokazowski of PhishMe wrote today:

    With the number of Internet-facing devices vulnerable to this, it would be very easy for an attacker to turn this into a worm, and bore itself past external gateways into homes. When was the last time you patched your TV? And with the current scan of the entire Internet going on, an attacker could easily turn this into a fork bomb, hogging CPU resources, and crashing systems around the globe.

Darien Kindlund, director of threat research at FireEye, called out the targeted attack possibilities of the bug. "Advanced attackers can leverage [a compromised] website in further strategic web compromises like watering hole attacks against website visitors," he says. "This is precisely how many targeted attacks occur with an exceptionally high degree of success."

Kindlund made further comments about Shellshock in a blog post, stating flatly: "This bug is horrible."

Worse than Heartbleed?
Kindlund maintains that Shellshock is worse than Heartbleed, because it "affects servers that help manage huge volumes of Internet traffic. Conservatively, the impact is anywhere from 20 to 50% of global servers supporting web pages."

Secunia says that Heartbleed "'only' enabled hackers to extract information." However, "Bash enables hackers to execute commands to take over your servers and systems."

Ingevaldson believes large hosting providers might be the most prominent target. "No crashes, no complexity, easy to test, easy to exploit," he says. "On the CVSS scale it's all 10s across the board. High impact, easy to exploit, no authentication required, low access complexity. Ouch."

Remediation
Reavis advised yesterday:

    To test if your system is vulnerable just try this on bash:

    env x='() { :;}; echo vulnerable' bash -c
    "echo this is a test"

    If you're vulnerable it'll print:

    vulnerable
    this is a test

    If you've updated Bash you'll only see

    this is a test

Many Linux distributions, including RedHat, Ubuntu, and Arch, have provided patches for Shellshock, but so far there are no patches available for Mac OSX and Android. Regardless, the efficacy of the patches could be limited, since many of the Linux distros are embedded in IoT devices that users rarely update.

To remediate from Shellshock, security experts advise:

  • Upgrade to the latest versions of Bash. Some are listed here.
  • Tatu Ylönen, inventor of SSH and CEO of SSH Communications Security, says, "An immediate workaround is to use the AcceptEnv command option in /etc/sshd_config to reject any environment variables from the client (typically just delete the AcceptEnv line from the default configuration file)."
  • Watch for forthcoming patches.
  • Consider disabling Bash until patches are available.
  • Consider redoing your scripts that call to Bash until a patch is available.
  • Temporarily switch the default shell on desktops running Bash.
  • Use intrusion prevention systems and/or network-based heuristic monitoring to keep tabs on.

More information is available in US-CERT's advisory.

Not what it was designed for
Shellshock is another example of how resourceful developers pushed something far past what it was meant to do -- and ended up creating security holes they had never foreseen.

"I suspect that many of the Internet of Things, or Internet of Everything, devices that have been distributed have Linux roots," says Alan Dundas, vice president and product architect for Authentify. "How will the small CPU in your thermostat prevent malware introduced via a Bash flaw from sniffing around whatever else is connected to it? It probably wasn't designed to have that capability. Therein lies the fatal error of connecting lots of simple items into a complex network without thoroughly evaluating what could go wrong."

"This is potentially worse than Heartbleed," says Dundas, "because many things Linux is embedded in were never intended to be patched."

Like Heartbleed, Shellshock is a vulnerability in open-source software.

"I see this as a failure in the mindset of the open-source community where everyone waits for everyone else to do something or find something," says Chris Stoneff, director of professional services for Lieberman Software. "One of the interesting things happening with so much bashing of closed-source projects like Microsoft and the embrace of more open software like Linux and OSX is how much visibility Linux and OSX have gained in recent years to would-be attackers. It has shone a light on one of the biggest lies perpetrated on people: We are not vulnerable because we don't use Microsoft. Well, the proof is now here, and it's time for Linux and OSX and UNIX to take some heat."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dan Euritt
50%
50%
Dan Euritt,
User Rank: Apprentice
9/26/2014 | 7:56:13 PM
Re: The many eyes of open source missed this one
This sort of thing makes me glad that I went through the Windows server hassles, instead of using Linux.

Thanks Dark Reading for a great article.
prospecttoreza
50%
50%
prospecttoreza,
User Rank: Strategist
9/26/2014 | 10:12:02 AM
Re: The many eyes of open source missed this one
too many cooks spoil the broth
anon0898863719
50%
50%
anon0898863719,
User Rank: Apprentice
9/26/2014 | 10:08:12 AM
Re: The many eyes of open source missed this one
one thing the open source/free software community doesn't deal well with is the fact that just because you have access to the source code doesn't mean you can do anything with it.

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/26/2014 | 9:06:18 AM
Re: The many eyes of open source missed this one
This is very alarming. My team is trying to see if we can use our vulnerability scanner to weed out this instance within our environment. With the internet of things, this will be a daunting task because we are not entirely certain what is leveraging these bash versions.

Has anyone definitively planned an inititivate to efficiently pull this data and mitigate effectively? If so, what steps are you taking? (At a high level, doesn't need to be granular)
aws0513
50%
50%
aws0513,
User Rank: Ninja
9/26/2014 | 8:32:26 AM
SCADA systems might have a big problem here.
Although I do not maintain any SCADA systems, it occured to me last night as I patched my server environments that the Shellshock bug may have substantial impact on SCADA relevant systems.  I'm sure a SCADA security or administration expert would have more info in this regard.  I hope I am wrong in this assumption, but I get the sense otherwise.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
9/25/2014 | 11:09:05 PM
The many eyes of open source missed this one
This is a serious bug that apparantly has been around almost as long as Bash itself, since version 1.3 or 22 years. Whew. It's one that has eluded the rule that "the many eyes of open source code inspecition" will find all bugs.
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...
CVE-2020-3115
PUBLISHED: 2020-01-26
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerabi...
CVE-2020-3121
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplie...
CVE-2020-3129
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker c...
CVE-2020-3131
PUBLISHED: 2020-01-26
[CVE-2020-3131_su] A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability i...