A super-serious flaw in the “bash” shell – the command line interpreter for Unix-based systems including Linux and Mac OS X – has sent server administrators scrambling to patch their systems. The vulnerability has already acquired the name “Shellshock”, for obvious reasons.
Many are saying this hole is as dangerous, if not more so, than the Heartbleed flaw found in the OpenSSL standard back in April. Here’s what you need to know about it.
What is the Shellshock flaw?
Reported to [company]Red Hat[/company] by Unix expert Stéphane Chazelas last week and revealed late Wednesday, the bug affects how bash “evaluated certain specially crafted environment variables,” as the Red Hat advisory put it. This means attackers can execute shell commands that are supposed to be subject to restrictions. As the U.S. National Institute of Standards and Technology (NIST) warned in its own advisory about Shellshock: “Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service.”
More scares, courtesy of the OSS-Sec mailing list:
The fact that an environment variable with an arbitrary name can be used as a carrier for a malicious function definition containing trailing commands makes this vulnerability particularly severe; it enables network-based exploitation.
Why is this so serious?
Because of Bash’s ubiquity. The Bash shell has been around since 1989 and it’s the default shell not only in Mac OS X, but also in many flavors of Linux – which powers a lot of web-connected servers out there. As Red Hat explained in a blog post, many programs also run the bash shell in the background, to allow things like remote access via SSH or Telnet, or even the execution of certain commands.
Apache also uses bash to parse common gateway interface (CGI) scripts — and Apache servers are used to run around 60 percent of the websites out there today. It can even affect Microsoft environments, depending on which components they include.
Here’s what Microsoft MVP Troy Hunt wrote:
Bash can be used for a whole range of typical administrative functions, everything from configuring websites through to controlling embedded software on a device like a webcam. Naturally this is not functionality that’s intended to be open to the world and in theory, we’re talking about authenticated users executing commands they’ve been authorised to run. In theory.
Embedded software? Like in the internet of things?
Yup. This potentially affects a lot of the connected devices that are out there – from routers to smart lightbulbs — as well as servers. As ErrataSec’s Robert Graham explained in one of several blog posts on the matter, Heartbleed affected a specific version of OpenSSL but the Shellshock bug has been around for “a long, long time,” suggesting many old connected devices could be vulnerable. What’s more, though Heartbleed only affected servers and was fairly easily patched, many systems administrators failed to do so. The patching of Shellshock is likely to be even more … well, patchy.
As Graham wrote:
Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.
Graham also scanned the internet (well, part of it) to see how widespread the bug is, and established that it is very much so. What’s more, he reckons it’s “wormable” — that is to say, it can be used for self-replicating attacks that spread across devices and systems.
How can this be fixed?
Red Hat has released a patch for its Linux distributions, though it subsequently warned the patch is incomplete, and vendors like Akamai have issued advice on how to mitigate the problem. Apple needs to issue a fix for Mac OS X.
Unfortunately, as Hunt wrote, some systems administrators may need to use an alternate shell or cordon off vulnerable systems for now, meaning “hard decisions that could have tangible business impact in order to avoid potentially much more significant ramifications.” In short, they may need to break stuff.
Is Shellshock being exploited?
As Akamai noted, the longevity of the bug means system owners may never know “what, if any, compromises might have happened.”
But right now? Shellshock is an incredibly widespread and easy-to-exploit vulnerability for which there are as yet no effective patches – and it just got publicized. What do you think?