A serious software vulnerability called the “Bash Bug” or “Shellshock” has just come to light and it affects a wide range of computers and digital devices, many of which will need to be fixed to prevent them leaking information or being taken over by malicious persons. The systems affected include Mac OS X computers, many web servers, and some home networking devices like routers. This blog post offers some preliminary advice about what to do in response to Shellshock, as well as links to more in-depth resources that should be helpful to more technically-minded readers.
The official name of this vulnerability is the GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271) and it is a serious one, on a par with Heartbleed, and it could enable an attacker to gain control over a targeted computer. Of course, all of that might sound irrelevant to the average Internet user who has never heard of bash. So I will let my colleague Cameron Camp, an experienced Linux user, set the scene with five main points. After that we will offer some advice for different groups of people affected by this bug. Here’s Cameron:
- Bash is short for Bourne-again shell and it is the command line interface that most folks use on a Linux and sometimes BSD Mac servers and computers. So basically Bash is the primary way you give your Linux server commands, turn stuff on and off, start web servers and so on: it’s how you manually manage your server 90% of the time. Think of it as what your desktop is to a Windows or Mac machine, but for servers. But Bash is more than that, it’s also the nuts and bolts of how a large chunk of the Linux server itself launches and controls operations that it executes all the time like scheduling tasks, doing updates, and the like.
- Bash doesn’t just run on normal Linux serverish things, it’s loaded on a significant percentage of home routers, smart meters, smart appliances, smart cars, and other stuff that you don’t really think of as running Linux. Basically a huge chunk of things that route Internet traffic run bash. This extends to the core routing of data centers and facilities like that around the world.
- Right now we are at the very beginning of the “what could this break” cycle. Already we know that it could break CGI scripts running on Apache boxes. Okay, but there’s a ton of other exploits possible once someone weaponizes this, and before folks have a chance to patch their devices. Some vulnerability scanning is now going around, undoubtedly lots more will follow. Keep in mind that some BSD/Linux boxes haven’t been rebooted in five years or more! They often lag behind on updates to fix security issues.
- I’m watching the traffic stream on some trust groups right now and the messages are flying around, with folks sharing data back and forth about active exploit attempts, so that’s good, but these groups are very technical, so that information has to be translated for public consumption accompanied by practical advice.
- Lastly, in simple terms, breaking Bash means you can tell a server to execute something without really authenticating, so it’s sort of like telling bash to go do stuff without being logged in, which definitely fits the definition of “a very bad thing”.
For more technical details we think these resources are very helpful:
- Robert Graham writing on the Errata Security Blog (go to the home page for the latest).
- Troy Hunt writing on troyhunt.com.
- Discussion of the bash bug on Apple Support Communities.
- Jame Blasco at AlienVault is reporting some of the early attempts to exploit this bug.
Here is what we think this bug means for different people:
- Windows users: your machines are fine, but you could be at risk of malicious code infection when visiting web servers compromised by exploitation of Shellshock. Now is a good time to make sure your anti-malware is up-to-date.
- Mac users: sadly the bash that comes with Mac OS X is vulnerable until patched. We are awaiting a patch from Apple. Look for this and install it right away. Now is a good time to make sure your anti-malware is up-to-date.
- Home Internet users, domestic network operators: We do not yet have a definitive list of which devices are affected. For now, assume that yours is and stand by for updates from your ISP or the router manufacturer while monitoring sites like We Live Security for more information about active threats exploiting this vulnerability. If you want to be pro-active, check out the support forum for your ISP or router vendor. Email or phone them to find out if your device is affected. Also, check that your anti-malware is up-to-date.
- SOHO and SMB: Same as above if you are doing your own IT. If you use a Managed Service Provider, check with them.
- IT departments: Review all systems that use bash and follow appropriate remediation steps as reported by Linux distributors, such as RedHat and Debian and Ubuntu. There is a lot of information on this NGINX page and this Cisco page.
- Anyone with a website hosted by web hosting company: Check their support page for news and updates.
- Anyone with a virtual private server: Check with your provider’s support page. You may need to tackle this issue yourself, in which case engage an appropriate expert.
We are monitoring developments related to the Shellshock bash bug vulnerability and will post updates to the We Live Security blog.
by Stephen Cobb, ESET