In this article we will look at what the shellshock bashbug is all about. We also cover mitigation strategies to help you thwart against such a vulnerability, so that when the next one occurs you are ready.
Shellshock has been dubbed bigger than Heartbleed, on the surface it looks mean but is it really? Read the rest of this article to find out if it affects you and your organisation.
It is currently estimated that over one billion websites run on Apache. Most of these are installed on a Linux operating system. A good guess is that more than two billion devices are affected.
More official detail on the NIST website can be found here.
This vulnerability has an impact score of 10/10 which means you should pay attention to this as soon as you can. NIST is saying it’s as bad as it gets… If you can imagine that over a billion devices will be affected by this and it will probably take over a year to get everything patched with everyone’s help and in reality only 80% will ever get patched, it is a serious vulnerability.
Ultimately this vulnerability can result in the attacker gaining a shell on a vulnerable system, this is the holy grail of vulnerabilities so yes it’s a big deal. I can’t remember in my 15 years+ in computer security, when something this big was discovered.
It is also possible to dump internal files and password containing files and even credit card data for public retrieval, using this vulnerability. The options are quite broad and the bad guys are starting to have a field day.
Additionally if this vulnerability is exploited over CGI, which is web based on some websites, then no authentication is required which makes it even more of an issue. I highly recommend that you patch this as soon as possible.
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the system responds:
vulnerable
this is a test
Your device is vulnerable.
If the systems spits out this message:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
Your system is not vulnerable and you can move onto the next system.
You can also download tools to scan for the vulnerability, you can select your favourite Antivirus vendor for this purpose, just by typing into a search engine shellshock scanning tool you will get a few tools suggested on the first page.
Leave no stone unturned even some CCTV cameras and some printers are vulnerable to Shellshock, so be thorough.
You can fix this yourself if you wish and apple have a DIY fix if you are brave and diligent.
The industry has already started fighting back with numerous Unix and Linux distributions pushing out patches. The challenge is now to get them installed after testing in corporate environments and getting them past change control.
The vulnerability is “wormable” meaning a worm can be created to take advantage of this flaw, and a worm does not require user interaction meaning that millions of machines can be exploited in hours remotely. In many cases these machines do not run any decent level of malware, worm or security software that can detect or report an infection so it’s particularly difficult to detect an infection.
For example there are a group of personal and corporate security cameras CCTV that are now remotely exploitable so that exploiters can remotely take control of the devices and spy on individuals and corporations alike if they are internet facing, and because these devices are sold as remote monitoring technologies this is very likely.
Some of my customers have called in asking whether they are going to be affected, I only use Microsoft technologies. If you dig a little deeper you will find that almost no one only uses Microsoft, there are a myriad of applications and devices that rely on other technologies that are likely to be vulnerable. In a recent scan we found that a customer claiming their network was only Microsoft actually had about 60% non-Microsoft elements and 40% of those could be vulnerable to issues related to this vulnerability.
We found that the firewall, the very thing “protecting” the customer had an issue that potentially could be exploited.
Remember the “holy cow” of the computer world, the Apple Mac? OSX machines are currently vulnerable, as we speak Apple are franticly developing updates and patches to mitigate Shellshock across the global estate. Now is a good time to start developing a security strategy for those machines, so that they are covered. If you are comfortable recompiling Bash there are ways to fix it now manually.
Security best practise will help mitigate against the effects of such a vulnerability, the following strategies will help protect against these type of threats.
A dedicated security team that is vigilant and on top of such issues is a bigger requirement than ever before when these type of events occur it calls for immediate action. Keep patching to keep safe. If you are not sure what to do get hold of an expert that can help you solve this problem. This issue has slipped past the whole world undetected for years and it’s not going to be fixed overnight, you do need to start addressing right away, for soon there will be an overwhelming plethora of exploits and you need to be ready to defend your systems.
What is the Shellshock Vulnerability?
The Shellshock vulnerability exposes a flaw in the Unix Bash shell. This leaves Unix based operating systems such as Linux, OSX or Bash containing systems like some routers, Apache, CGI websites, firewalls, web connected servers (CCTV, printers and other effected peripherals) and many other operating systems, based on Unix vulnerable to running deep level commands after the vulnerability is exploited.It is currently estimated that over one billion websites run on Apache. Most of these are installed on a Linux operating system. A good guess is that more than two billion devices are affected.
More official detail on the NIST website can be found here.
This vulnerability has an impact score of 10/10 which means you should pay attention to this as soon as you can. NIST is saying it’s as bad as it gets… If you can imagine that over a billion devices will be affected by this and it will probably take over a year to get everything patched with everyone’s help and in reality only 80% will ever get patched, it is a serious vulnerability.
Ultimately this vulnerability can result in the attacker gaining a shell on a vulnerable system, this is the holy grail of vulnerabilities so yes it’s a big deal. I can’t remember in my 15 years+ in computer security, when something this big was discovered.
It is also possible to dump internal files and password containing files and even credit card data for public retrieval, using this vulnerability. The options are quite broad and the bad guys are starting to have a field day.
Additionally if this vulnerability is exploited over CGI, which is web based on some websites, then no authentication is required which makes it even more of an issue. I highly recommend that you patch this as soon as possible.
Advertisement
How do I know if I am vulnerable?
Open up a command line shell or Bash and then run this command:$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the system responds:
vulnerable
this is a test
Your device is vulnerable.
If the systems spits out this message:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
Your system is not vulnerable and you can move onto the next system.
You can also download tools to scan for the vulnerability, you can select your favourite Antivirus vendor for this purpose, just by typing into a search engine shellshock scanning tool you will get a few tools suggested on the first page.
Leave no stone unturned even some CCTV cameras and some printers are vulnerable to Shellshock, so be thorough.
You can fix this yourself if you wish and apple have a DIY fix if you are brave and diligent.
What has happened so far… (Sept 2014)
The vulnerability is already being exploited and tools have been written so that the bad guys can “own”, take over, as many machines as possible before they are all patched. This window will give them the opportunity to infect potentially millions of machines and the underground is alight with chatter of how teams of bad guys are going to and are already doing this.The industry has already started fighting back with numerous Unix and Linux distributions pushing out patches. The challenge is now to get them installed after testing in corporate environments and getting them past change control.
The vulnerability is “wormable” meaning a worm can be created to take advantage of this flaw, and a worm does not require user interaction meaning that millions of machines can be exploited in hours remotely. In many cases these machines do not run any decent level of malware, worm or security software that can detect or report an infection so it’s particularly difficult to detect an infection.
How does it affect my organisation?
This vulnerability can take many guises and will affect a multitude of Bash based technologies including some CGI and Apache installations. The concern is that now it can even affect things that make up the Internet of Things IoT. This can mean it’s a group of devices that we typically don’t interact with nor can easily update as they might have embedded operating systems that are not straight forward to update.For example there are a group of personal and corporate security cameras CCTV that are now remotely exploitable so that exploiters can remotely take control of the devices and spy on individuals and corporations alike if they are internet facing, and because these devices are sold as remote monitoring technologies this is very likely.
Some of my customers have called in asking whether they are going to be affected, I only use Microsoft technologies. If you dig a little deeper you will find that almost no one only uses Microsoft, there are a myriad of applications and devices that rely on other technologies that are likely to be vulnerable. In a recent scan we found that a customer claiming their network was only Microsoft actually had about 60% non-Microsoft elements and 40% of those could be vulnerable to issues related to this vulnerability.
We found that the firewall, the very thing “protecting” the customer had an issue that potentially could be exploited.
Remember the “holy cow” of the computer world, the Apple Mac? OSX machines are currently vulnerable, as we speak Apple are franticly developing updates and patches to mitigate Shellshock across the global estate. Now is a good time to start developing a security strategy for those machines, so that they are covered. If you are comfortable recompiling Bash there are ways to fix it now manually.
What can I do to stop or limit the damage?
There many ways to protect against the Shellshock vulnerability being exploitedSecurity best practise will help mitigate against the effects of such a vulnerability, the following strategies will help protect against these type of threats.
- Keep your systems patched to the very latest patch level
- Ensure that you have a vulnerability feed that is current like VIM from Secunia.
- Segment your networks so that services and endpoints are completely separate, included in that ensure that externally facing machines are isolated and zoned off completely from all internal systems. Network zoning and proper segregation will ensure that if a device or host is compromised the spread is limited to the isolated network zone and cannot traverse to other zones.
- Remove software that you are not using, this will reduce the attack surface area and will in turn reduce your security risk. You will also only have to maintain software that is left installed on the machines.
- Use or prefer software that has the auto update capability, in most cases vendors are on the lookout for vulnerabilities and these days patches are released on reasonable update cycles. Auto update not only notifies you that there is a patch but also installs the latest working version of the software and has regression built-in in the event of the update not working.
- Keep patching and identifying what systems are vulnerable, if the systems are critical to you or your organisation and you need to keep a vulnerable system connected, limit the interaction with the vulnerable module by either disabling it or blocking access to it.
- Have a strong patch management program, there are many technologies on the market that tell you when a patch is available, use these to alert you as soon as an applicable patch has been released.
- Work quickly, in the case of the Shellshock vulnerability my best advice is that this is something that needs to be addressed as soon as there is a fix, ignoring this issue will leave you or your organisation exposed so it’s vital that this vulnerability be properly and though roughly resolved.
- Be extra careful with so called “fixes”. This is exactly what the bad guys have been waiting for, there will be many false profits with fixes that create backdoors to your systems so be sure you get the fix from a reputable source.
- Encrypt your most sensitive files if you can’t patch immediately.
Can this threat be avoided all together?
The short answer is only if you don’t use the vulnerable systems and software, but realistically most large corporate networks will have some of the mentioned vulnerable systems. In most cases the short answer is no it will not and cannot be avoided.Conclusion
Security is an ever evolving space and so is the threat landscape, as we have seen in the last six months there have been some block buster vulnerabilities, which have knocked some companies off their feet and moreover caused exposure for many organisations.A dedicated security team that is vigilant and on top of such issues is a bigger requirement than ever before when these type of events occur it calls for immediate action. Keep patching to keep safe. If you are not sure what to do get hold of an expert that can help you solve this problem. This issue has slipped past the whole world undetected for years and it’s not going to be fixed overnight, you do need to start addressing right away, for soon there will be an overwhelming plethora of exploits and you need to be ready to defend your systems.