A newly discovered bug, dubbed Shellshock, could pose an even greater hacking threat than the Heartbleed bug earlier this year- but this one doesn’t require users to change their passwords.
The security flaw was discovered in one of the most fundamental interfaces powering the internet, located in the command-line shell used in many Linux and Unix operating systems, leaving websites and devices power by these operating systems open to attack.
Like Heartbleed, Shellshock is a pervasive flaw that security researchers say will take years to fix properly. The responsibility to do so however rests with webmasters and systems administrators – rather than average users.
Security firm Rapid7 has rated the bug as 10 out of 10 for its severity, but “low” for complexity – with hackers able to exploit it using just three lines of code.
However, unlike Heartbleed, Shellshock will not require users to rush from site to site changing their passwords but it does give hackers another method of attack that they could potentially use to take over computers or mobile devices.
If Heartbleed’s effect on users was akin to unlocking everyone’s front door simultaneously, sending people scrambling back home to turn the key (ie change their passwords) then Shellshock is like giving thieves a new type of crowbar to break in to houses with – they’re just as likely to use older methods, but it’s still a blow for general security.
View this video explanation of the bug below:
Analysis- years before ‘deadly’ bug is completely eradicated
Professor Mike Jackson, cyber security expert from Birmingham City University, warns that Apple PC users are more at risk to the flaw and that although the potential damage is hard to gage, millions of websites could be open to the exploitation of the shellshock bug.
“There are two main families of basic computer software in the world; those which are Windows based and those which are Unix based. The Unix world has just been rocked by the news that a piece of fundamental software is flawed and has opened the gateway to hacking attacks. Even worse news is the fact that this flaw has existed for a decade! The flaw has been labelled ‘Shellshock’ and it is feared that it may be more damaging than the ‘Heartbleed’ bug which was discovered earlier in the year.
“Obviously everyone wants to know if they might be vulnerable to attack. If you are an Apple PC user then the immediate answer is ‘Yes’. Apple’s OS X operating system is Unix based and therefore vulnerable. Window’s users should not however be complacent. Your PC might be safe but what about the router you use for your broadband? Like as not it will use Unix-based software and therefore may be at risk of attack.
“Even if we feel safe with the computers we own, what about those computers we use but don’t own? Every time we access a web site we are effectively using someone else’s computer and we open ourselves up to their vulnerabilities. One of the major pieces of Web server software called Apache is Unix-based and known to be at risk from this software fault.
“Literally millions of websites could be open to the exploitation of the Shellshock bug. The damage it could cause is as yet unknown. The only safe prediction is that given the number of computers which are at risk that it will be years before this vulnerability is completely eradicated.”
Malicious Wi-Fi hotspots
Ian Pratt, co-founder at Bromium commented: “The “shellshock” bash vulnerability is a big deal. It’s going to impact large numbers of internet-facing linux/unix/OS X systems as bash has been around for many years and is frequently used as the ‘glue’ to connect software components used in building applications. Vulnerable network-facing applications can easily be remotely exploited to allow an attacker to gain access to the system, executing with the same privilege the application has. From there, an attacker would attempt to find a privilege escalation vulnerability to enable them to achieve total compromise.
“Bash is part of the infrastructure, something so pervasive that many sysadmins wouldn’t necessarily even know that the security of their applications depend on it. Any applications known to be using CGI scripts that call system or popen are at particularly risk — many php, perl and python scripts will fall into this category. Some python modules call os.system without the application doing so explicitly. Simply disabling bash is typically not an option, though it may help to change applications’ default shell to some other bourne shell compatible shell such as ‘sh’ or ‘dash’ (though beware — ‘sh’ is actually the same binary as bash on some systems). However, if an application invokes bash explicitly it will still be vulnerable.
“Even client systems that don’t explicitly run network facing services may be vulnerable too, by way of software such as the DHCP client that may pass data received from a DHCP server through bash. This means that malicious WiFi hotspots could potentially compromise vulnerable systems.
“All Linux/Unix/OS X sysadmins should be scrambling to update bash on all their systems, prioritizing those exposed to untrusted networks.
“Bash is a very complex and feature-rich piece of software that is intended for interactive use by power users. It does way more than is typically required for the additional role for which it is often employed in gluing components together in applications. Thus it presents an unnecessarily broad attack surface — this likely won’t be the last vulnerability found in bash. Application developers should try to avoid invoking shells unless absolutely necessary, or used minimalist shells where required.”
Lower risk to home users
Dimitris Parapadakis, Principal Lecturer of IT Security at the University of Westminster, commented on the Shellshock bug: “The Shellshock bug is indeed high risk; but this type of bug is neither new nor rare. The risk of Shellshock is high for people running websites and similar services but less so for the average home users. The good news is that the bug is in software that is open for any expert to examine so it is not difficult for the collective skills of experts to find out how to fix it and, in most systems, fix it quickly. Patches are already appearing and, as always, everyone should be sensible and download the latest updates not only on their computers but also on other systems, such as their routers.
“There is no doubt that bugs of this type will continue to appear and attract our attention. Each such story should remind us of the security – and privacy – risks of the internet but it should also make us realise that the bug has been found thanks to ongoing work from many well trained computer experts who analyse software and help identify and address these risks. We should not worry about bugs made public because something is already being done to fix them; we should be concerned of those that have not been found yet.”
Industrial control systems under threat?
Tom Cross , Lancope’s director of security research, said: “It will take a long time for all of the implications of the the Shellshock vulnerability to come to light. The most obvious vulnerable systems will be patched over the next few days, but there will be corner cases, particularly where Linux is used in appliances and embedded devices, where the vulnerability will linger on for a long time. This is similar to what we’ve experienced with Heartbleed, where months later we’re still hearing about things like VPN concentrators getting compromised in the wild, and researchers are still discovering things that can be done with it. Shellshock is particularly concerning in the context of Industrial Control Systems and SCADA, where there may be many vulnerable devices that are difficult to upgrade. Earlier this year, a sophisticated waterhole attack targeted a users of a variety of industrial control systems and industrial cameras. Those attackers now have an entirely new attack vector to explore.”
‘More far reaching than Heartbleed’
Alert Logic’s senior solutions architect, Richard Cassidy, added: “We have to take stock of when BASH was first developed, and that security issues are still widely related to the fact that developers aren’t (and in most cases can’t) able to test their code against all conditions, variables and security related scenarios. The specific vulnerability found does require a specific set of conditions to be met. We need to look at this in context; yes it’s a vulnerability and organisations should absolutely take steps to apply those patches currently being released; but to be exploited with this vulnernability we’d be looking in most instances at a very targeted attack, as opposed to an opportunistic “script-kiddie” one.
“The main challenge here is that BASH is the foundational shell for the most popular UNIX operation systems deployed today, not least within OS X; As such it has existed for quite some time indeed, making this vulnerability far wider reaching (and affecting more systems globally) than the Open-SSL “HeartBleed”.
“Given the extent of the Operating System versions it affects, organisations are going to have a great deal of work to do, to get patched, and should commence sooner rather than later. RedHat and Fedora have already led the charge on remediation, however we really need to see an update from Apple on their plans to get OS X patched.
“The overall lesson that has to be learned here, given our experiences with “HeartBleed” (and many others before) is that even the most trusted protocols and Operating Systems still have code level vulnerabilities that will continue to be discovered. Good security practices and systems will ensure that users within organisations should have limited exposure to vulnerabilities of this type; however external facing public servers running the affected versions of BASH will be more at risk, such as websites, e-commerce platforms and management systems. If organisations haven’t already, now is the time to put in place extra auditing measures against their critical assets, implementing strict rules on existing security systems to mitigate the risk.”