If you’ve been watching the news lately you have probably become aware of the latest internet scare known as Shellshock or Bash Bug. This is an extremely alarming vulnerability that affects most web servers today. Since most of the web is powered by Linux and Unix operating systems, this bug is referred to as one of the biggest security issues known to date. Security firms are scrambling to come up with patches and temporary fixes as they try to understand the vulnerabilities depth and potential affects.
What is Shellshock/Bash Bug?
Shellshock, also known as the Bash Bug, is a newly detected vulnerability in the Linux and Unix operating system also affecting Mac OS X. The bug was detected by a Red Hat (Linux Distribution) employee. Essentially, it allows an attacker to submit code to be executed after the declaration of a variable. Shellshock has been deemed a greater threat than Heartbleed which was known and one of the greatest security vulnerabilities in recent history. The bash bug vulnerability is not new by any stretch of the imagination. Since the creation of bash around 25 years ago, this bug is wide-spread and affects more than just web host. Anything running Bash is susceptible to an attack if it is internet facing. This includes Apple machines running Mac OS X Tiger or later, some routers, web servers, Linux or Unix machines and Windows users using .
What is Shellshock in Plain English?
In plain English, Shellshock is a programming bug affecting most web servers, Linux desktops and Apple machines. The bug allows an attacker the ability to execute code on the vulnerable machine. Code being executed can enable attackers full rights to a machine allowing them to take over a machine. They attacker can access valuable information and inject malicious code or even setup backdoors for other attacks.
What is the Payload of Shellshock?
Probably the most alarming issue with Shellshock is the unknown. Because of the freedom that the bug can allow an attacker, it’s hard to identify the potential payload. Attackers using the exploit can inject malicious code, scrape sensitive data, control desktop apps such as web cams, insert backdoors or worms for other attacks. The list of potential dangers is exhaustive and may impact the internet and users for months to come.
How to Secure Against Shellshock or Bash Bug?
By now, you are probably wondering how you can protect yourself against Shellshock. On the bright side, patches are coming out rather quickly and at this stage the bug seems somewhat easy to patch. On the downside, many devices are potentially vulnerable from your Smart TV to your home security system. Bash is used in so many devices that many devices are taken for granted and users may not even expect to be exposed to this danger. The other problem is that these devices are not always as patch friendly.
Many web hosts have already applied patches and were rather quick to do so after being notified of the issue. Apple just released a patch Tuesday, Sept. 30th. Unfortunately, the OS X bash Update 1.0 is still incomplete. It apparently fixes two of the three vulnerabilities known but is still susceptible to Denial of Service attacks. So, look for an updated version to be released soon. Also, if you are running an older Mac OS X operating system, you may be without a patch for sometime. It’s suggested that you turn off remote access and any local web servers in the meantime.
Update September 29th – 12:23 CST
A second similar vulnerability has been found in Bash rendering previous patches incomplete. As we have more information, we will update this article. Security bulletins:
- CVE-2014-6271: The original “Shellshock” Bash bug.
- CVE-2014-7169: The CVE assigned to the incomplete patch for the original bug.
- CVE-2014-7186 & CVE-2014-7187: These CVEs are related to the original bash bug but triggered through and alternative method using out of bounds memory access.
- CVE-2014-6277 & CVE-2014-6278: Two new bugs that have been discover but have not yet been made public in order for patches to be created.