Shellshock: Be Wary, But Don’t Panic
Hundreds of millions are vulnerable. The questions is, how many are actually exploitable?
On September 24, a new bug was reported that you may have heard about. Shellshock, also known as the Bash Bug, is a software vulnerability that could make your systems vulnerable.In terms of impact, exploitability, and severity the National Institute of Standards and Technology (NIST) rates this bug a 10 out of 10.
Many people are concerned about this bug, but it may be too early to panic. Let us explain.
Why is this happening?
The default command shell on Linux, Unix, and Mac systems is called Bash. Bash translates your commands into a language the operating system can understand. For decades, this vulnerability has existed inside Bash. On September 24, a security researcher publicly announced it for the first time.Who is affected?
Most non-Windows operating systems (e.g., Linux, Unix, and MacOS) used by computers, routers, websites, servers, etc. are vulnerable. Some Windows operating systems can be affected if their users have installed Bash.What does Shellshock allow hackers to do?
Shellshock opened a way for attackers to take full control of your computer or server by injecting malicious requests into the Bash command process. That means if a hacker does happen to exploit this vulnerability, they can install malware to scrape your data, modify system settings, access databases, run programs, etc.But, don’t panic quite yet. There is a difference between vulnerability and exploitability. Just because you are vulnerable, doesn’t necessarily mean attackers can access your systems. Thus far, only isolated instances of exploitability have been discovered.
“The extensiveness of the remote exploitability of Shellshock is yet unknown,” said Chad Horton, Penetration Test Manager at SecurityMetrics. “Initial research suggests this vulnerability will be most severely exploited from attackers located on the same local area network (LAN) as the victim. Which, while severe, is less of an impact than remotely exploitable vulnerabilities.”
How do I fix it?
The bad news is, there’s no complete fix…yet. Some patches have been released, but have since been reported as incomplete. For now, it’s a waiting game. Only after vendors issue patches to their software can users work to stop the Shellshock vulnerability on their systems.Here’s our advice
- Install any software updates as soon as they are released (You may even have to patch the same system multiple times this week, as many patches will be released)
- Run vulnerability scans often. (Know that vulnerability scans will not be 100% accurate within the next couple weeks because it’s very likely more exploits will be found)
- Check with your vendors to make sure they’re actively working on patches. (Some vendors have already invested time into making sure their systems are secure against Shellshock. For example, Check Point and SonicWALL)
For those technical folks out there...
To mitigate exploit potential, it’s best practice to ensure daemons are running with the least amount of privileges required to perform necessary functions. Keep in mind, using root to run a daemon is never a good idea.Here’s a command line test to see if your system is vulnerable.
Enter the following command:
env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'
If the system is vulnerable, the output will be:
vulnerable
this is a test
An unaffected (or patched) system will output:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test