Shellshock Bash bug impressions
There's been some discussion both at work and on Twitter on whether or not the bash bug is worse than Heartbleed. Bottom line is that it doesn't matter. Both bugs have a severity of 10 out of 10, which make them serious business for everyone involve in information security. For the record, I do think Bash is a little more complicated than Heartbleed, but has the potential to be much more dangerous.
Unlike Heartbleed, which just scrapped information as it goes by on a system using OpenSSL. The Bash bug needs some form of initial bash access. Bash for the uninitiated is essentially a command prompt within Linux, Unix and Mac systems. Common Gateway Interface (CGI) functionality seems to be enough for the bug to be exploitable. The good news is that not all websites utilize CGI; unfortunately, it appears that about half the websites on the internet do, mostly webservers running Apache. For a more in-depth technical look at the Shellshock Bash bug I would highly recommend Troy Hunt's post.
More bad news
The Bash bug isn't just limited to webservers though. It could also affect anything that connects to the internet, which would include your router and any home appliances that can be accessed from an app or the internet. Once the exploit is executed, the attacker essentially has the access to do whatever he wants on the device and it's already being exploited in the wild.
What can be done?
Test everything: IT departments should be testing any device that uses Linux, Unix, and Mac as part of its structure. This includes appliances, firewalls, routers, switches, printers, websites, phones, etc. Bash use is so widespread that ever organization is going to have something vulnerable that will need to be patched. Devices that are available to the internet are of particular concern and should be tested first.
Pay attention to network traffic logs: signatures should be available for Intrusion Prevention/Detection Systems (IPS/IDS). Watch for incoming and outgoing alerts and pay attention to anything abnormal in the logs. Anything abnormal should be investigated.
Patch everything: vendors should be working on patches and once available should be applied to systems at a reasonable time. Systems available on the internet should be patched as soon as possible. Systems available internally should be patched next with the most critical systems first. After patches are applied the system needs to be tested for the bash bug. The easiest way I've seen is opening up a console and typing in this command:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
At home equipment: routers are likely to be the biggest problem. ISP owned routers should be patched by the ISP. Personally owned routers will need to be patched by the owner. It's usually quiet easy to do; but not easily remember to do. For my home router I have to login to the router. Go to the firmware version and click the update button.
Browsing the internets: this is a good time as any to start utilizing safe browsing techniques on the internet. This bug is going to allow attackers to change content on vulnerable web servers, which could include adding malware to that content. This could put anyone who browses to the website at risk of downloading that malware content. Here are two tips for safe web browsing:
Make sure your system is fully patched. That includes: operating system updates, java, adobe flash player, etc. A program that can help with this is Secunia. It's free and does most of the updating for you
Use FireFox to browse the internet. It is free and there's a wonderful add-on that can be installed called NoScript that protects a computer from cross-site scripting (XSS) and Clickjacking attacks. It will require some work to use initially.
We'll get through this
This is a very serious bug and it's easy to get overwhelmed and/or paranoid, but we will get through it. The more I've researched and tested for the bug the more comfortable I've become with it. That doesn't mean I'm worrying less or more at ease, but it does mean that I think we can get a handle on it get the issue fixed. Well fixed for those that want to put the time and effort into getting the bug fixed.
This post first appeared on Exploring Information Security.