Another round of Shellshock Bash bug links October 2, 2014

Here's some of the latest news on the Shellshock Bash bug:

The anatomy of a Shellshock attack in the wild - Troy Hunt - troyhunt.com

It’s probably a bit early to speculate about the true cost of Shellshock, but what I can do – and in a very objective fashion – is decompose a typical Bash bug attack. I can do this because I had one hit my logs just a couple of days ago.

Shellshock fixes beget another round of patches as attacks mount - Sean Gallagher - ars technica

At the same time, the urgency of applying those patches has mounted as more attacks that exploit the weaknesses in bash’s security (dubbed “Shellshock”) have appeared. In addition to the threat first spotted the day after the vulnerability was made public, a number of new attacks have emerged. While some appear to simply be vulnerability scans, there are also new exploit attempts that carry malware or attempt to give the attacker direct remote control of the targeted system.

Apple patches "Shellshock" Bash bug in OS X 10.9, 10.8, and 10.7 - Andrew Cunningham - ars technica

Shellshock, in essence, allows attackers to issue commands to systems via malformed environment variables. In the case of Web servers, it can allow attackers to gain full control of the system. Exploits of the bug have already been spotted in the wild, and end users and server administrators are all encouraged to patch their systems as soon as possible.

Still more vulnerabilities in bash? Shellshock becomes whack-a-mole - Sean Gallagher - ars technica

In other words, “Shellshock” may be partially patched, but it’s still highly dangerous on systems that might use bash to pass information to the operating system or to launch other software. And it may take a significant change to fix the code.

This post first appeared on Exploring Information Security.

Shellshock Bash bug impressions

There's been some discussion both at work and on Twitter on whether or not the bash bug is worse than Heartbleed. Bottom line is that it doesn't matter. Both bugs have a severity of 10 out of 10, which make them serious business for everyone involve in information security. For the record, I do think Bash is a little more complicated than Heartbleed, but has the potential to be much more dangerous.

Unlike Heartbleed, which just scrapped information as it goes by on a system using OpenSSL. The Bash bug needs some form of initial bash access. Bash for the uninitiated is essentially a command prompt within Linux, Unix and Mac systems. Common Gateway Interface (CGI) functionality seems to be enough for the bug to be exploitable. The good news is that not all websites utilize CGI; unfortunately, it appears that about half the websites on the internet do, mostly webservers running Apache. For a more in-depth technical look at the Shellshock Bash bug I would highly recommend Troy Hunt's post.

More bad news

The Bash bug isn't just limited to webservers though. It could also affect anything that connects to the internet, which would include your router and any home appliances that can be accessed from an app or the internet. Once the exploit is executed, the attacker essentially has the access to do whatever he wants on the device and it's already being exploited in the wild.

What can be done?

Test everything: IT departments should be testing any device that uses Linux, Unix, and Mac as part of its structure. This includes appliances, firewalls, routers, switches, printers, websites, phones, etc. Bash use is so widespread that ever organization is going to have something vulnerable that will need to be patched. Devices that are available to the internet are of particular concern and should be tested first. 

Pay attention to network traffic logs: signatures should be available for Intrusion Prevention/Detection Systems (IPS/IDS). Watch for incoming and outgoing alerts and pay attention to anything abnormal in the logs. Anything abnormal should be investigated.

Patch everything: vendors should be working on patches and once available should be applied to systems at a reasonable time. Systems available on the internet should be patched as soon as possible. Systems available internally should be patched next with the most critical systems first. After patches are applied the system needs to be tested for the bash bug. The easiest way I've seen is opening up a console and typing in this command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

At home equipment: routers are likely to be the biggest problem. ISP owned routers should be patched by the ISP. Personally owned routers will need to be patched by the owner. It's usually quiet easy to do; but not easily remember to do. For my home router I have to login to the router. Go to the firmware version and click the update button.

Browsing the internets: this is a good time as any to start utilizing safe browsing techniques on the internet. This bug is going to allow attackers to change content on vulnerable web servers, which could include adding malware to that content. This could put anyone who browses to the website at risk of downloading that malware content. Here are two tips for safe web browsing:

  1. Make sure your system is fully patched. That includes: operating system updates, java, adobe flash player, etc. A program that can help with this is Secunia. It's free and does most of the updating for you

  2. Use FireFox to browse the internet. It is free and there's a wonderful add-on that can be installed called NoScript that protects a computer from cross-site scripting (XSS) and Clickjacking attacks. It will require some work to use initially.

We'll get through this

This is a very serious bug and it's easy to get overwhelmed and/or paranoid, but we will get through it. The more I've researched and tested for the bug the more comfortable I've become with it. That doesn't mean I'm worrying less or more at ease, but it does mean that I think we can get a handle on it get the issue fixed. Well fixed for those that want to put the time and effort into getting the bug fixed. 

 

 This post first appeared on Exploring Information Security.

Shellshock Bash bug links September 25, 2014

Bug in Bash shell creates big security hole on anything with *nix in it - Sean Gallagher - ars technica

Good starting point for understanding what the bash bug aka Shellshock is. To test your Linx, Unix, or Mac based equipment type this into the command line:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you get the world "vulnerable" as a response then your machine is affected by this bug.

Everything you need to know about the Shellshock Bash bug - Troy Hunt - troyhunt.com

A longer, more in-depth look at the bug sweeping the internet. I would highly recommend reading this if you work in an IT department.

The Thanks-Rob Worm to Come - Richard Stiennon - securitycurrent

It appears someone has begun utilizing the bug to create a worm that downloads malware.

AWS users fret over downtime ahead of Amazon's massive EC2 reboot - Liam Tung - ZDNet

Shellshock isn't mentioned as a reason for the reboot, but a "critical security flaw" is and likely means that Amazon's Web Services are affected by this bug.

 

 This post first appeared on Exploring Information Security.