Worse than Heartbleed. That's what security professionals are saying about the newly discovered “Bash Bug,” a vulnerability in the Unix Bourne Again Shell (BASH) that makes it possible for attackers to exploit Linux and Apple OS X systems.
While the CVE-2014-6271 bug, also referred to as ShellShock, is posited to have existed for many years, it was just discovered last week by Akamai security researcher Stephane Chazelas. And pronouncements that it is worse than Heartbleed, the critical vulnerability that was discovered in widely used versions of the OpenSSL library, stem from the prevalence of Bash shells in everything from servers to web-connected Internet of Everything (IoT) devices.
“It is the worst vulnerability we have seen so far this year,” Roel Schouwenberg, a senior researcher Kaspersky Labs, told SCMagazine.com in a Thursday interview. Unlike Heartbleed, “which was really about attackers getting information from machines,” the Bash Bug “executes arbitrary commands from affected devices, mostly Web servers.”
Calling ShellShock “far more prevalent,” David Larson, CTO at Corero Network Security pointed out to SCMagazine.com in a Thursday email correspondence that “the bug impacts Linux/Apache machines which makes up over 50 percent of the population [and]…impacts the last 25 years of BASH versions,” whereas Heartbleed was only dangerous to “a specific version of OpenSSL. This is big.”
Schouwenberg said that it is too early to gauge the extent of the damage that the Bash Bug can do. “We don't understand the scope of this vulnerability,” he said. But since security experts keep spinning a seemingly endless number of scenarios in which the vulnerability could be exploited, “that makes it very serious.”
Because bash is “a common shell for evaluating and executing commands from other programs,” Akamai CISO Andy Elllis said in a Thursday blog post that the “vulnerability may affect many applications that evaluate user input, and call other applications via a shell.” And ultimately, that allows “an adversary…[to] pass commands to bash to execute arbitrary code,” he wrote.
Jaime Blasco, director of AlienVault Labs, in a Thursday blog post, called the vulnerability “critical since it can be exposed on web servers that use mod_cgi or code that calls the bash shell.” He said that the other systems that might be affected include “network services and daemons that use shell scripts with environmental variables.”
AlienVault has been running a honeypot for the vulnerability since Wednesday, lying in wait for attackers to exploit it, and in less than 24 hours “have had several hits.” Most, he wrote, “are systems trying to detect if the system is vulnerable and they simply send a ping command back to the attacker's machine.”
In some of the attacks that security experts are seeing in the wild, exploiting ShellShock can be “as simple as telling the server, ‘Hey, download this file and run it,' and an attacker has access to the box,” Ronnie Tokazowski, senior researcher at PhishMe, told SCMagazine.com in a Thursday email correspondence. “With very little effort, an attacker could set up DDoS attacks, create a botnet with affected devices, or crash all of these devices if they wanted to.”
It is that ease of use, which Tokazowski rates at “11, possibly a 12,” that helps ShellShock edge ahead of Heartbleed in terms of potential impact.
With Heartbleed, an attacker “has to get lucky to find a username and password combination that works, then needs to find a VPN concentrator or some other login form, and hope that an enterprise isn't doing geolocation IP matching based off of usernames,” he said. “Once there, the attacker would then have to find a vulnerability on the system to break out of the app to get on the system, and then perform a privilege escalation attack in order to gain root level access.”
Tokazowski expressed surprise at the ease of use as well as “how prevalent the problem is.” When he first learned of the vulnerability, he “started playing with the code” on his system and was able to modify it “into something working in no more than 30 seconds. Given the ease of use, I'm hoping no one turns this into a worm.”
The implications of ShellShock are scarier still, given the number of devices that are vulnerable.
“Never mind the millions of unpatched NTP servers out there that are being used to dump massive volumetric DDoS attacks on unsuspecting victims,” said Corero Network Security's Larson. “To think that the IoT, which is growing exponentially, is being exploited in a similar way, leads me to believe that we are not far from seeing DDoS attacks in the Terabit range.”
In fact, many security experts are predicting that ShellShock and the Bash bug are a potentially volatile mix primarily because web-connected devices aren't typically kept current. “The IoT in itself is a breeding ground for malicious activity,” said Larson. “IoT devices are typically not updated, patched or maintained on a regular basis, making it quite easy for hackers to exploit and take control over.”
Jared DeMott, principal security researcher at Bromium Labs, agreed, adding in an email correspondence with SCMagazine.com, “Once you deploy all these low cost, connected, mini-computers - are they likely to be maintained and patched? Or will they go the way of home routers…and remain outdated and vulnerable for years at a time?”
Just how users and organizations protect themselves from ShellShock is evolving. The most obvious answer is “patch Bash as quickly as possible,” said DeMott recommends that organizations “fire drill for zero day attacks,” But first, they must “patch Bash as quickly as possible,” he said.
Apple so far has remained mum but Linux vendors like Red Hat and Ubuntu have issued patches for the bug as have security vendors like Akamai, which published an emergency patch on Thursday. With so many untended and unpatched devices out there, the risk is likely to persist, and patches will be tweaked and updated along the way.