Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/25/2014
05:20 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'Shellshock' Bash Bug Impacts Basically Everything, Exploits Appear In Wild

CGI-based web servers are the biggest target, but other web servers, hosting services, embedded systems, Mac OSX, and IoT endpoints are all at risk.

"Shellshock," the critical remote command execution Bash bug disclosed yesterday, is now being exploited in the wild. Some affected software companies have released patches (which only partially fix the problem), but many others have not -- which is troubling, because Shellshock can be found all over the place.

Trend Micro describes this vulnerability as "plague-like," dwarfing Heartbleed, and hitting "approximately a half-billion Web servers and other Internet-connected devices." Shellshock gives attackers command access to Linux- and UNIX-based systems that use Bash. Therefore, industry experts say, there are a huge number of potential attack vectors -- Mac OSX devices, Android devices, OpenBSD, DHCP clients, SSH servers, web servers using CGI or Apache (including hosting servers), home routers, Bitcoin Core, and embedded systems in other Internet of Things objects like medical devices, digital cameras, and televisions.

How it works
Bash is a local shell that Linux- and UNIX-based systems use to set up environmental variables that can contain code, which gets executed as soon as the shell is invoked. Though Bash is local, the Shellshock vulnerability "allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird mime types for example," Jim Reavis of the Cloud Security Alliance wrote yesterday.

Daniel Ingevaldson, CTO of Easy Solutions, explains it this way: "This bug is not a remote 'code execution' vulnerability [in which] tricks are required to actually do something interesting. It's a remote 'command execution' vulnerability that may allow remote attackers to simply run commands on the remote system."

Exploits in the wild
Proof-of-concept exploits released yesterday showed that only one simple line of code was needed to take advantage of Shellshock.

Since then, exploits have appeared in the wild.

"We already noticed attacks against web servers earlier today, and they are very easy to implement and carry," says a representative from BitDefender. "The typical attack scenario involves an automated tool that tries to access CGI scripts and pass the environment variable as User-Agent," a string that tells the web server what type of browser is being used, so the server will know how to format data before sending it.

Because Bash is used so broadly, Shellshock exploits can be used to worm their way through a complex computing environment, and it could be used to create botnets. Using a honeypot, researchers at AlienVault have already seen evidence of this.

"The majority of [the attackers] are only probing to check if systems are vulnerable," says Jaime Blasco, labs director at AlienVault. "On the other hand, we found two worms that are actively exploiting the vulnerability and installing a piece of malware on the system. This malware turns the systems into bots that connect to a C&C server where the attackers can send commands, and we have seen the main purpose of the bots is to perform distributed denial of service attacks."

Ronnie Tokazowski of PhishMe wrote today:

    With the number of Internet-facing devices vulnerable to this, it would be very easy for an attacker to turn this into a worm, and bore itself past external gateways into homes. When was the last time you patched your TV? And with the current scan of the entire Internet going on, an attacker could easily turn this into a fork bomb, hogging CPU resources, and crashing systems around the globe.

Darien Kindlund, director of threat research at FireEye, called out the targeted attack possibilities of the bug. "Advanced attackers can leverage [a compromised] website in further strategic web compromises like watering hole attacks against website visitors," he says. "This is precisely how many targeted attacks occur with an exceptionally high degree of success."

Kindlund made further comments about Shellshock in a blog post, stating flatly: "This bug is horrible."

Worse than Heartbleed?
Kindlund maintains that Shellshock is worse than Heartbleed, because it "affects servers that help manage huge volumes of Internet traffic. Conservatively, the impact is anywhere from 20 to 50% of global servers supporting web pages."

Secunia says that Heartbleed "'only' enabled hackers to extract information." However, "Bash enables hackers to execute commands to take over your servers and systems."

Ingevaldson believes large hosting providers might be the most prominent target. "No crashes, no complexity, easy to test, easy to exploit," he says. "On the CVSS scale it's all 10s across the board. High impact, easy to exploit, no authentication required, low access complexity. Ouch."

Remediation
Reavis advised yesterday:

    To test if your system is vulnerable just try this on bash:

    env x='() { :;}; echo vulnerable' bash -c
    "echo this is a test"

    If you're vulnerable it'll print:

    vulnerable
    this is a test

    If you've updated Bash you'll only see

    this is a test

Many Linux distributions, including RedHat, Ubuntu, and Arch, have provided patches for Shellshock, but so far there are no patches available for Mac OSX and Android. Regardless, the efficacy of the patches could be limited, since many of the Linux distros are embedded in IoT devices that users rarely update.

To remediate from Shellshock, security experts advise:

  • Upgrade to the latest versions of Bash. Some are listed here.
  • Tatu Ylönen, inventor of SSH and CEO of SSH Communications Security, says, "An immediate workaround is to use the AcceptEnv command option in /etc/sshd_config to reject any environment variables from the client (typically just delete the AcceptEnv line from the default configuration file)."
  • Watch for forthcoming patches.
  • Consider disabling Bash until patches are available.
  • Consider redoing your scripts that call to Bash until a patch is available.
  • Temporarily switch the default shell on desktops running Bash.
  • Use intrusion prevention systems and/or network-based heuristic monitoring to keep tabs on.

More information is available in US-CERT's advisory.

Not what it was designed for
Shellshock is another example of how resourceful developers pushed something far past what it was meant to do -- and ended up creating security holes they had never foreseen.

"I suspect that many of the Internet of Things, or Internet of Everything, devices that have been distributed have Linux roots," says Alan Dundas, vice president and product architect for Authentify. "How will the small CPU in your thermostat prevent malware introduced via a Bash flaw from sniffing around whatever else is connected to it? It probably wasn't designed to have that capability. Therein lies the fatal error of connecting lots of simple items into a complex network without thoroughly evaluating what could go wrong."

"This is potentially worse than Heartbleed," says Dundas, "because many things Linux is embedded in were never intended to be patched."

Like Heartbleed, Shellshock is a vulnerability in open-source software.

"I see this as a failure in the mindset of the open-source community where everyone waits for everyone else to do something or find something," says Chris Stoneff, director of professional services for Lieberman Software. "One of the interesting things happening with so much bashing of closed-source projects like Microsoft and the embrace of more open software like Linux and OSX is how much visibility Linux and OSX have gained in recent years to would-be attackers. It has shone a light on one of the biggest lies perpetrated on people: We are not vulnerable because we don't use Microsoft. Well, the proof is now here, and it's time for Linux and OSX and UNIX to take some heat."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dan Euritt
50%
50%
Dan Euritt,
User Rank: Apprentice
9/26/2014 | 7:56:13 PM
Re: The many eyes of open source missed this one
This sort of thing makes me glad that I went through the Windows server hassles, instead of using Linux.

Thanks Dark Reading for a great article.
prospecttoreza
50%
50%
prospecttoreza,
User Rank: Strategist
9/26/2014 | 10:12:02 AM
Re: The many eyes of open source missed this one
too many cooks spoil the broth
anon0898863719
50%
50%
anon0898863719,
User Rank: Apprentice
9/26/2014 | 10:08:12 AM
Re: The many eyes of open source missed this one
one thing the open source/free software community doesn't deal well with is the fact that just because you have access to the source code doesn't mean you can do anything with it.

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/26/2014 | 9:06:18 AM
Re: The many eyes of open source missed this one
This is very alarming. My team is trying to see if we can use our vulnerability scanner to weed out this instance within our environment. With the internet of things, this will be a daunting task because we are not entirely certain what is leveraging these bash versions.

Has anyone definitively planned an inititivate to efficiently pull this data and mitigate effectively? If so, what steps are you taking? (At a high level, doesn't need to be granular)
aws0513
50%
50%
aws0513,
User Rank: Ninja
9/26/2014 | 8:32:26 AM
SCADA systems might have a big problem here.
Although I do not maintain any SCADA systems, it occured to me last night as I patched my server environments that the Shellshock bug may have substantial impact on SCADA relevant systems.  I'm sure a SCADA security or administration expert would have more info in this regard.  I hope I am wrong in this assumption, but I get the sense otherwise.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
9/25/2014 | 11:09:05 PM
The many eyes of open source missed this one
This is a serious bug that apparantly has been around almost as long as Bash itself, since version 1.3 or 22 years. Whew. It's one that has eluded the rule that "the many eyes of open source code inspecition" will find all bugs.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...