What Is The Shellshock Bug And Should You Be Worried?

A serious vulnerability in Bash, the software used to control the command shell in many aspects of Unix, has been discovered in OS X.

The flaw is being dubbed as ‘Shellshock’ and allows an attacker to run a wide range of malicious code remotely

Shellshock was discovered by researchers at Red Hat and experts have warned it could be worse than the dangerous Heartbleed flaw uncovered earlier this year. Security firm Rapid7 has rated Shellshock as 10 out of 10 for its severity and ‘low’ for complexity, as hackers can exploit it using just three lines of code.

But what exactly is Shellshock and just how dangerous is it? Here’s what the experts had to say…

Kevin Epstein, VP Information, Security and Governance at email security specialist Proofpoint

“Initial indications are that Shellshock (the BASH flaw) has been present in the code for a longer period than Heartbleed, and is in a more general-use area of the code. Correspondingly, this vulnerability will likely be more widespread and in code that’s no longer being maintained, such as legacy routers and NAS devices. Clearly this has wider security implications than Heartbleed, and suggests need for additional incremental layers of security as well as patches.”

Tim Erlin, director of security and risk at Tripwire

“This vulnerability in Bash delivers a kind of double-whammy to the IT security folks responsible for patching systems. The overlap of systems vulnerable to Heartbleed will be very high, and so the systems that are already difficult to patch for Heartbleed will also be difficult to patch for this new vulnerability. It won’t be long before we have a call to action for addressing this because of an actively used exploit.”

Troy Gill, senior security analyst of email and web security company, AppRiver

“Shellshock poses every bit as great a threat as Heartbleed. System administrators are now in a race against the clock to determine if their Linux-based systems are in fact vulnerable and to get them patched before the expected surge in effort of those actively exploiting this vulnerability. The vulnerability exists within Bash – which is an extremely common command shell in Linux and Unix systems, and allows for remote code execution.

“One major element that I believe could cause some issues is the fact that a lot of these users are part of the community that likes to believe that their systems don’t get malware because of the operating systems that they use. While it’s true they are less targeted, they are in no way invulnerable to attack. This could be a case in point if cybercriminals decide to make a move to quickly begin exploiting this vulnerability.”

Kasper Lindegaard, head of research at vulnerability management firm Secunia

“The impact of the vulnerability in Bash is that it can be exploited to effectively take over your systems. Reportedly, Bash is currently being exploited in limited attacks in the wild. The vulnerability is caused due to an error when parsing shell function definitions passed via environment variables and can be exploited to e.g. execute arbitrary shell commands via a specially crafted environment variable value passed to a CGI script via certain HTTP headers.

“There are multiple attack vectors for Bash, because a lot of organisations will be using Bash in different parts of their systems, and presumably many old devices on networks will be vulnerable.

“GNU, the Open Source project that has developed Bash, is a large and widely used project and should have the resources available to deal with the issue. They have, in fact, already released a patch – unfortunately it has proved ineffective, and there is therefore no official patch available at this stage. I am, however, expecting GNU Bash to release another patch today due to the criticality of this vulnerability, but the fact that the first patch wasn’t adequate, could indicate that they lack proper security quality assurance of their patches.

“Compared to Heartbleed, the vulnerability in OpenSSL from earlier this year, Bash is worse. Heartbleed “only” enabled hackers to extract information. Bash enables hackers to execute commands to take over your servers and systems. We have only seen the tip of the iceberg so far, and only the most obvious attack vectors.”

Lawrence Jones, CEO of Manchester-based internet hosting firm UKFast

“It’s too early to be able to say how many machines will be affected. Looking at what we’ve seen so far through our own testing, it appears that you can’t exploit much without having prior access to the system. So – as it stands – it seems unlikely that many systems will be vulnerable through arbitrary remote command execution. A lot of the existing proofs of concepts out there are specially designed to show how it theoretically could be compromised, not how it can be compromised on your average system. It’s like taking a door off by removing the hinges; they can only be removed from the inside.

“This isn’t to say there won’t be issues. The world’s eyes are now firmly fixed on this story and there will be thousands of people trying to find active exploits, so it is still a risk. Deploying the relevant security patch and running updates is an essential next step.

“My advice would be to apply the relevant patches and updates being offered by Linux providers and keep checking back for further information as further patches may be released. I would also always recommend protecting your systems with a secure firewall.”

Ian Pratt, co-founder at endpoint security vendor Bromium

“The Shell shock bash vulnerability is a big deal. It’s going to impact large numbers of internet-facing linux/unix/OS X systems as bash has been around for many years and is frequently used as the ‘glue’ to connect software components used in building applications. Vulnerable network-facing applications can easily be remotely exploited to allow an attacker to gain access to the system, executing with the same privilege the application has. From there, an attacker would attempt to find a privilege escalation vulnerability to enable them to achieve total compromise.

“Bash is part of the infrastructure, something so pervasive that many sysadmins wouldn’t necessarily even know that the security of their applications depend on it. Any applications known to be using CGI scripts that call system or popen are at particularly risk — many php, perl and python scripts will fall into this category. Some python modules call os.system without the application doing so explicitly.  Simply disabling bash is typically not an option, though it may help to change applications’ default shell to some other bourne shell compatible shell such as ‘sh’ or ‘dash’ (though beware — ‘sh’ is actually the same binary as bash on some systems). However, if an application invokes bash explicitly it will still be vulnerable.

“Even client systems that don’t explicitly run network facing services may be vulnerable too, by way of software such as the DHCP client that may pass data received from a DHCP server through bash. This means that malicious WiFi hotspots could potentially compromise vulnerable systems. All Linux/Unix/OS X sysadmins should be scrambling to update bash on all their systems, prioritising those exposed to untrusted networks.

“Bash is a very complex and feature-rich piece of software that is intended for interactive use by power users. It does way more than is typically required for the additional role for which it is often employed in gluing components together in applications. Thus it presents an unnecessarily broad attack surface – this likely won’t be the last vulnerability found in bash. Application developers should try to avoid invoking shells unless absolutely necessary, or used minimalist shells where required.”

Mark James, security expert at Internet security firm ESET

“At the early stages of this vulnerability it’s not quite certain how much of an impact it will have on systems. What we can expect though is the community going through their servers and checking to see if they are affected, the test is very simple and done from a command line.

“The problem we have is that this bug has been around for a very long time. We also are not really sure how many systems it actually affects. We do know however it is more than the Heartbleed bug as unlike specific versions of OpenSSL that were affected with Heartbleed, this particular issue affects a much wider platform of almost all Linux, Unix and MAC Oss, and pretty much any OS that uses the GNU Bourne Again Shell (BASH).

“The concern is that Apache, which is used in more than 50% of web servers will use BASH to execute scripts for dynamic content and thus could be compromised to launch code on your server. An unpatched system could leave your server wide open and vulnerable to attack.

“What should you do now? Firstly run a command line test, then patch your systems. Check for any updates then check again, run the script and ensure you get the warnings. If you still don’t, then you should update BASH to the latest version manually. Also please keep an eye on network traffic, take this opportunity to tighten control on any non-essential services and turn them off.”

Gavin Millard EMEA technical director at network security developer Tenable

“The potential for attackers utilising Shellshock is huge with millions of UNIX and Linux servers vulnerable. The major concern of Shellshock is the staggering amount of systems that have bash installed – almost every UNIX platform and many of the Internet of Things devices we now have in our homes and businesses.

“Unfortunately, due to the ease of exploit, Shellshock is a prime candidate for a worm. We could be looking at another SQL Slammer like worm but instead of 100,000 servers being affected, it could be more like 100,000,000, which would be catastrophic.

“Every organisation should be scanning for this vulnerability today and patching everything they can.”

How much do you know about hacking? Take our quiz!