The recently discovered bug, Shellshock, also known as the “bash bug” was made public on September 24, 2014, causing widespread anxiety as bug patches failed to remediate all vulnerabilities. The bug is found in Bash – an almost ubiquitous system software used in millions of computers, Linux-based machines and even Mac computers. Essentially, the vulnerability allows for remote execution of arbitrary commands on web servers and computers with no authentication required.
Threat Details and Severity Level
Red Hat’s advisory for CVE-2014-6271 indicates a flaw in the way Bash evaluates certain specially crafted environment variables. An attacker can use this flaw to override or bypass environment restrictions to remotely execute shell commands. The bug demands the attention of the security community due to the pervasiveness of systems that are touched by Bash, which is the default shell in Mac OS X and many Linux machines. The National Vulnerability Database has given a maximum Common Vulnerability Score (CVSS 2.0) of 10 to the Shellshock bug due to ease of access (low complexity) and high impact on confidentiality, integrity, and availability.
Shellshock Discovery and Patches
After the vulnerability was first reported on September 14, 2014, Red Hat released a patch and details of the vulnerability. Further analysis revealed that the original patch was insufficient in mitigating all paths to the vulnerable code. As a result, the methods of exploitation were identified and assigned a separate vulnerability code CVE-2014-7169, which also scored a CVSS 2.0 of 10 (high). Red Hat’s blog post, “Bash specially-crafted environment variables code injection attack,” provides more detail on the vulnerabilities. There is currently no patch available to cover these additional issues; however, there is also no evidence that the newly discovered, related vulnerability is currently being exploited in the wild.
Currently, intelligence sources indicate the earliest incidents of active Shellshock exploitation in the wild likely began in the early morning of September 25, 2014. Those exploits leveraged the vulnerability on publicly accessible Linux systems to install a malicious DDoS bot binary executable. Unfortunately, this is only one example of how the Shellshock can be leveraged; the different ends to which the bug can be leveraged are vast.
Vulnerable versions of bash are widely deployed. Patching and implementing workarounds for all affected systems is expected to take significant time but hopefully lessons learned from mitigation of the recent Heartbleed vulnerability may accelerate the timeframe. Until then, we can expect a rapid increase in attacker activity related to scanning and exploiting this rapid-to-trigger vulnerability.
One of the recent exploitations of the bug includes the distribution of malware. The observed malware is a 32-bit ELF binary executable compiled for Linux systems. The executable is a bot designed primarily to carry out DDoS attacks.
Mitigation of Shellshock Vulnerability
For System Administrators:
- Apply patches as soon as possible (Red Hat recommends applying the patch for CVE-2014-6271 immediately, rather than waiting for the patch that covers CVE-2014-7169).
- Check to see if current patches have been ported to the desired architecture, platform, and version of the operating system with the vulnerable version of bash.
- Check the GNU bug-bash mailing list for patch availability.
- Implement Red Hat workarounds until full patch is available.
- Watch for security updates, particularly on OS X.
- Mac users can easily test for vulnerability.
- Also keep an eye on any advice you may get from your ISP or other providers of devices you have that run embedded software.
- Be cautious of emails requesting information or instructing you to run software.
- Ensure router configuration page is only available from in-home computers.
In summary, the Shellshock bug is going to require aggressive patching and it is likely to have a significantly greater impact than Heartbleed. So far, the bug is being exploited to install DDoS botnet malware. However, the bug’s potential exploitation for other cybercrime attacks is vast. Be sure to apply current patches and monitor security resources for updates.