Many network administrators and information security folks are feeling the effects of the ‘Shellshock’ bug, this morning. The bug has been confirmed as ‘worm-able’, and proof-of-concept code is already bouncing around.
In many ways, Shellshock is worse than Heartbleed. Here is a quick, plain English breakdown of the vulnerability:
What Shellshock Is:
It’s an attack that does not require the attacker to ‘authenticate’ to the system or server being attacked. In other words- the attacker does not have to have a username/password, or break passwords.
What the attacker can do:
Everything up to full control of the compromised device/system/server.
What Shellshock affects:
Linux, Mac OS/X or any device that uses a ‘Bash’ Linux command-line (most internet connected devices).
If you read that it only affects Linux systems/servers- don’t breathe a sigh of relief just yet! Most of the ‘Internet-of-things’ devices (Cameras, refrigerators, TVs, etc.) use a form of Linux, and are potentially vulnerable. In addition, if you are running ‘SOHO (Small Office/Home Office)’ wireless access points, managed switches, and routers, or if you are using a store-bought Firewall/Cable modem then you may be vulnerable.
If you rely on IT support, and they tell you that there is ‘No problem- we don’t allow shell or terminal access to the outside world’, then you need to point out to them that is not the entire attack vector: Any process, or program that IS accessible, that sends commands to the shell, is potentially vulnerable. It is not always obvious which programs or services do this, behind the scenes.
So what can be done?
Review and Confirm: Check your systems, servers, and devices to see if they are, in fact, potentially vulnerable.
Patch: A number of the primary Linux shell versions had patches available within hours.
Keep an eye out for firmware updates for your internet devices: Internet connected TVs, Wifi access points, SOHO-class firewalls, Network storage devices, internet connect cameras, etc.
Kill Non-essentials: Consider turning off, or disconnecting, non-essential ‘internet-of-things’ devices until a patch is available for them.
BE ALERT FOR PHISHING SCAMS: So-called ‘spear phishers’, and scammers of every ilk, like to use these well-publicized security issues to trick people into downloading malicious programs. Always deal with a known security site, or directly with the manufacturer.
Patch NOW (the Register)
Shellshock bug (the Mirror)
TECHNICAL: CVE-2014-6271 (NIST.gov)