As you may have heard, a new vulnerability has been announced that could potentially be a very serious issue for many users. It is being called the Bash bug or Shell Shock. This is considered a Zero day. This means that exploits that take advantage of the vulnerability have been released before the vulnerability was patched. Please note that this issue is rapidly evolving. In the 4 hours it took the Parameter Crew to drive to Louisville KY for DerbyCon, a proof of concept remote exploit was released. A botnet was also discovered that is using the vulnerability to spread, this Shellshock botnet is currently attacking CDNs such as Akamai and US Dept of Defense networks. We wanted to send out a quick email to give our clients and friends up to date information.
What is Bash? – Bash stands for Bourne Again Shell. Shell is essentially the command line interface of an operating system. Unlike Window’s system which only uses a Dos style shell, UNIX and UNIX derived operating systems have different shells they can use. Bash is by far the most popular CLI (command line interface) and is the default shell in many operating systems. This affects UNIX, all Linux flavors, and Mac that use BASH for their CLI.
So you’re telling me every one of my Linux and Macs are vulnerable? Essentially yes. But before you wrap them in foil, take a deep breath. In most cases this vulnerability is what we refer to as a local exploit. In order for a malicious attacker to exploit the vulnerability the local user would need to access a site or download a file that would load the exploit. If this system is being used in a non-server role, be careful on where you go on the internet and avoid installing new applications until a patch is released. Due to a possible attack with DHCP (A service which gives computers their IP addresses on a network), we recommend that you do not connect to any public or unknown networks until you have patched your system. Just to clarify, this is an exploit not mal-ware. Your antivirus software will most likely not detect this.
I have a server that is UNIX/Linux/Mac. What do I need to know? Certain server services use aspects of BASH. This allows a remote malicious attacker to send the exploit code to the server listener and compromise the system remotely. The DHCP server service, APACHE installs that use Cgi scripts are vulnerable, Telnet, as well as SSH have been found to be vulnerable. Until an effective patch is released keep an eye on your logs. If possible isolate these systems.
Hasn’t this been patched? According to US-CERT a patched was released today 9/25/14. However the patch does not completely resolve the vulnerability. Mitre has identified these vulnerabilities as CVE-2014-6271 and CVE-2014-7169. You can stay up to date with information on the US-CERT alert page at https://www.us-cert.gov/ncas/alerts/TA14-268A.
Since this doesn’t affect Windows systems, does this mean that Windows is a better, more secure operating system? Not at all. All operating systems are made up of millions of lines of code. Vulnerabilities and Mal-ware are present in every operating system. All operating systems are designed to be secure. Vulnerabilities are errors in the design, development, or implementation of the OS. Instead of believing that a single OS is superior and secure by nature, we all need to remain vigilant.
Tenable has released a check for Nessus to determine if a system is vulnerable to Shellshock. If you need us to test your system, don’t hesitate to contact us at info (at) parametersecurity (dot) com.Share