With the recent discovery of the Shellshock bug, many banking institutions are left wondering what the implications are to the financial industry and how to begin to secure systems. In this post, we've addressed common questions and mitigation tactics for banking entities to reduce the risk of exploitation through the Shellshock bug vulnerability.
Question: What is the Shellshock bug?
Answer: Shellshock is the name given to a pair of closely related vulnerabilities in the GNU Bash command interpreter, or "shell." A shell is a command-line program that tells the operating system what to do. By using specially crafted values for Bash environment variables, the vulnerabilities allow an attacker to completely compromise the confidentiality, integrity, and availability of a system. Systems may be compromised by a remote attacker, enabling them to execute their own code without any authentication.
Question: What does the Shellshock bug mean for financial institutions?
Answer: Most online banking sites won't be susceptible to Shellshock. Common Gateway Interface (CGI) applications implemented using Bash have become exceedingly rare and are practically unheard of among Internet banking applications today. While it’s very likely that Bash is found on many internal systems (anything living inside of the firewall), the risk of it being exposed to the point that it can be easily exploited is small. Financial institutions should still test for Bash-using systems immediately.
Question: How is Shellshock currently being exploited?
Answer: Shellshock is being exploited to expand the ranks of distributed denial-of-service (DDoS) botnets, which could then be directed towards banks (although evidence so far suggests the botnets being built using Shellshock are more for hacktivism). If exposed systems are compromised, they could become a part of a DDoS botnet. DDoS attacks can damage a brand or contribute to the installation of malware which is often used to steal account credentials with the intent of committing fraud.
Question: How pervasive is the Shellshock bug?
Don Jackson: The Bash shell is commonly installed by default as part of Linux and Apple Mac OS X operating systems. It can found on systems from high-performance webservers to small, efficient devices like home networking routers, webcams, and even smartphones. Having been around for 25 years, Bash is ubiquitous in many business environments, making it critical for patches to be installed.
Question: As a financial entity, what should I do first?
Answer: Closing the hole that allows attackers exploiting Shellshock to enter bank systems is the top priority. As a preventive measure, it may completely eliminate the risk exposure associated with vulnerable systems. If a system has already been compromised, it will close the door that hackers will likely try first in attempt to regain access.
Question: What patches are available?
Answer: Details of Shellshock were released publically along with a patch to fix it. However, additional research revealed that the patch did not completely mitigate the flaw. Some Linux distribution maintainers and vendors of enterprise Linux systems made patches available before the first attacks were observed. If a patch is not yet available for a particular system, it is encouraged to press vendors to make patch availability a priority. It is also advised to monitor vendor announcements via vendor email lists, websites, and social media outlets for information on patch availability. Bash should be treated as a core piece of software affecting systems that are vital to business-critical functions. Patching many of these systems will take time to test, prepare, and roll out the fixes.
[Update] Apple has released patches for Shellshock bug.
Question: How do I test for Bash installations?
Answer: Systems management, network discovery, and software inventory tools such as Qualys or Nmap should be able to help find installations of Bash across the environment and verify version information that could be important for remediation purposes.
Question: How will I know if my systems have Bash vulnerabilities?
Answer: Security assessment tools should be able to easily determine if Shellshock vulnerabilities are exposed via CGI on webservers through scans that attempt simple, benign "exploits.” Whether in-house or third-party, software developers and system administrators can help verify important technical details used to verify exploit vectors, such as:
- Are any CGI applications implemented using Bash at all?
- Do CGI applications written in other languages invoke Bash as a sub-shell using certain functions?
- Does PHP code run under its own module or as a CGI application?
Question: What configuration options and other technological controls would help mitigate or prevent system compromises by Shellshock exploitation?
Answer: Webservers are often deployed facing the most hostile network environment there is: the public Internet. Network, webserver, and web application security lessons learned in the past are a good guide:
- Mounting filesystems writable by web server processes with the "noexec" flag.
- Using security policy and access control technology like SELinux or AppArmor for fine-grained control over what code can be executed, and which data can be accessed, under which specific conditions.
- Use of host integrity control systems that prevent any unrecognized code from executing.
- The use of host-based webserver-specific controls such as mod_security for the Apache webserver.
Question: How can I configure and block Shellshock exploit attempts?
Answer: There are several options for deploying controls at various network layers and in logical network positions that, in combination, can provide a robust defense. For example:
- Firewall and network IDS/IPS rules that detect, and possibly block, traffic based on the patterns associated with exploit attempts and known payloads
- Web application firewalls (WAFs) that understand what exploit attempts look like at the application layer and filter bad or suspicious requests from ever reaching webserver or the CGI layer
Intelligence suggests that the Shellshock bug will impact systems unparalleled to any other bug observed in the history of the Internet to date. Mitigation of the vulnerabilities must be prioritized by financial institutions. Follow our blog for more information security matters relevant to the financial industry.