Shellshock reared its ugly on September 24, 2014 when Stephane Chazelas discovered the bug that is also referred to as Bash Bug or Bashdoor. Its name(s) comes from the fact that this bug affects the Unix Bash shell, which provides an interface for the UNIX operating system, as well as similar systems, such as Linux and Mac OS X.
Bash is a very popular free software program utilized to execute command lines and command scripts for Internet-connected computers, such as web servers using Common Gateway Interface (CGI) for generating dynamic content on web pages and applications. Bash has been around since the late 1980s and so too have these newly found vulnerabilities that have gone undetected for so long – now making all versions of Bash from 1.03 to 4.3 susceptible to Shellshock.
How Shellshock Works?
Shellshock is considered a GNU Bash Remote Code Execution Vulnerability. In a nutshell, it allows attackers to gain unauthorized access to a targeted computer system. Attacks can execute arbitrary commands remotely on an affected system, such as a web server or a router. Examples of these malicious commands could include downloading malware, modifying authentication, changing website code or defacing a website, modifying the contents on the web server, installing backdoors, and the list goes on.
Unlike other well-known exploits such as Heartbleed, Shellshock is extremely simple – making it a much greater threat. All it takes is writing a couple lines of code. Furthermore, Shellshock has the potential to be wormable enabling attackers to create a self-replicating code, running it on vulnerable systems and having it quickly spread across networks injecting malware, stealing data, and creating major havoc.
Who’s at Risk?
Shellshock can be potentially devastating for businesses. Web servers are most likely to be exploited; however, any Linux or UNIX server that leverages Bash runs the risk as well. And, just because Windows users may believe that they are protected from the nastiness of this bug, most businesses are using some type of web service that runs on a Linux or UNIX web server, making them vulnerable as well. In fact, some statistics are saying that Shellshock could affect around 500 million websites and even more Internet-connected devices.
If a web server is compromised, the fall out can be devastating to a business. Hackers can then gain access into the organization’s network through the web server and submit commands to wreak havoc across its entire IT infrastructure.
What to Do?
If you are utilizing Bash within your organization, the first step in the mitigation process is to upgrade to the latest version of the software program and verify your security settings to protect from intruders by replacing your SSH keys and changing credentials. Reviewing your database logs to determine if any unusual queries are run is also an important step.
Next, apply any available patches. Many vendors quickly responded to the Shellshock discovery and released patches for their solutions in order to eliminate any potential security threats.
The Aftermath of the Shock
The first vulnerability that was found on September 24th is referred to by the CVE identifier CVE-2014-6271. Within the next few days, six additional vulnerabilities were detected in the Bash program. As vendors were working feverishly to come out with patches, cyber criminals were looking at ways to penetrate any systems running Bash.
In the days following the initial Shellshock discovery, millions of probes and attacks were reported. Some of the attacks reported including distributed denial-of-software (DDoS) attacks. One was an attempt to scan the U.S. Department of Defense systems, while CloudFlare reported that they were tracking approximately 1.5 million Shellshock-related attacks and probes each day.
There have also been reports that Shellshock has been used through Mayhem, a well-known malware kit. Having a malware infrastructure in place makes it easier for criminals to utilize Shellshock as a weapon and increase their number of probes and attacks.
Protecting from Threats
Experts believe that the Shellshock vulnerabilities are not going away any time soon and attackers will continue to attempt to penetrate systems running Bash.
This is a perfect opportunity for organizations to identify all of their UNIX, Linux and Mac OS X systems and conduct application security testing to determine if and where vulnerabilities exist in these applications that they rely on to run their operations.