IoT
IoT
Government // Cybersecurity
News
9/27/2014
08:06 AM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%
RELATED EVENTS
Core System Testing: How to Achieve Success
Oct 06, 2016
Property and Casualty Insurers have been investing in modernizing their core systems to provide fl ...Read More>>

Shellshock Bug: 6 Key Facts

The Shellshock bug could do more damage than the recent Heartbleed bug. Here's what you need to know.

Jack the Ripper Caught: 8 Mysteries Tech Should Solve
Jack the Ripper Caught: 8 Mysteries Tech Should Solve
(Click image for larger view and slideshow.)

Shellshock, the name given to a pair of vulnerabilities in Bash, a shell program distributed on Linux, Unix, and OS X systems, has been assigned a CVSS score of 10, on a 1-to-10 scale. It's as serious as security bugs get.

Worse, the difficulty of exploiting Shellshock is rated "low." Almost anyone with an interest in malicious code will be able to build malware that uses the vulnerabilities. As if to demonstrate that, security companies began detecting Shellshock malware within hours after the vulnerabilities were disclosed.

Here's what you need to know.

How long has Bash been vulnerable?
About 22 years. According to the New York Times, Chet Ramey, senior technology architect at Ohio's Case Western Reserve University, has been maintaining the Bash open source project since then and believes that Shellshock dates back to a new feature introduced in 1992.

[Are we becoming a nation of complacency? Read Shellshocked: A Future Of ‘Hair On Fire’ Bugs.]

The earliest version of Bash affected by the vulnerability, 1.14, dates back to 1994. The most recent version, 4.3, is also vulnerable. News of the vulnerability appears to have surfaced on Wednesday.

Which machines are vulnerable?
The vulnerabilities affect machines running Linux, BSD, and Unix distributions, including Mac OS X. Apple said in a statement to AFP on Friday that OS X is safe by default unless users have configured advanced Unix services. The company said it's working on a patch for those users.

Bash is not native to Windows, but Cygwin, a Windows version of Bash, is vulnerable. Beyond that, Shellshock has the potential to affect anyone visiting a website hosted on a vulnerable server -- if the server has been compromised via Shellshock, it could deliver other malware.

How many machines are vulnerable?
It's difficult to say. About 10% of personal computers run Linux or OS X. But then there are servers and Internet-connected devices to consider. Many security experts are comparing Shellshock to the Heartbleed vulnerability discovered in April. Heartbleed affected an estimated 500 million computers; the BBC suggests Shellshock could affect just as many, without providing details about how it arrived at that figure.

Is my machine vulnerable?
Shellshocker.net provides two tests, one for each vulnerability, (CVE-2014-6271) and (CVE-2014-7169). On a Mac, open the Terminal program and type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see "vulnerable" echoed in the response, your version of Bash is affected. Then type:

env X='() { (a)=>\' bash -c "echo date"; cat echo

If you see today's date (alongside any errors), your version of Bash is vulnerable.

Is there a fix?
Sort of. Major Linux vendors have released patches; Apple is working on one. US-CERT notes that patches for CVE-2014-6271 don't fix it completely (RedHat has said as much). US-CERT advises that people stay tuned for patches to resolve CVE-2014-7169 (RedHat's patch is available). Many security vendors have released detection tools and promise protection through their own software. RedHat has offered several mitigation methods for experienced IT administrators.

Why should I care?
Because these bugs allow an attacker to execute malicious code on affected machines, without any authorization check. And even if your machine is safe, you won't be happy when someone is able to steal your credit card numbers because these vulnerabilities affected someone else's server.

You've done all the right things to defend your organization against cybercrime. Is it time to go on the offensive? Active response must be carefully thought through and even more carefully conducted. This Dark Reading report examines the rising interest in active response and recommends ways to determine whether it's right for your organization. Get the new Identifying And Discouraging Determined Hackers report today (free registration required).

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon6526361679
50%
50%
anon6526361679,
User Rank: Apprentice
9/30/2014 | 10:20:46 PM
The yellow journalism of this is becoming aparart
As time goes by it is slowly but surely becoming apparent that too many yellow journalists/ bloggers and security companies dying for publicity have in effect been "Chicken Little" claiming the sky is falling.

All these Bash shell one liner tests are idiotic.  I can run 'rm -rf *' in my bash shell and destroy my computer - that doesn't prove its vulnerable.  The fact is that a hacker would have to find an injection point.  This BASH issue provides no such injection point - it can only be "used" once an injection point is found.

When you delve into expert forums and really learn about this issue - its pretty much a "patch and move on" feeling.  Far short of the Chicken Little scenarios posted by idiots reading other idiots inflamed posts
Henrisha
50%
50%
Henrisha,
User Rank: Strategist
9/29/2014 | 1:02:07 PM
Re: A short-lived gloatfest
I agree. I would give it a few more weeks, even months, before saying that it has fully and truly been contained, with only 1 or 2 isolated cases that are then swiftly resolved. No OS is immune from bugs or attacks.
sam-augur100
50%
50%
sam-augur100,
User Rank: Apprentice
9/29/2014 | 10:00:15 AM
Re: A short-lived gloatfest
I agree. To say "its contained," would mean you/they personally know that it is by having been to the system(s) in question.
I also agree that things are not reported in a timely manner.
PaulS681
50%
50%
PaulS681,
User Rank: Ninja
9/28/2014 | 6:32:02 PM
Re: A short-lived gloatfest
Little early to say it's contained don't you think? Not sure how anyone could know that it's contained and nothing will come of this. Just because the "writeups" point to it being contained doesn't mean it is. I think we have all been around enough to know everything isn't reported on in a timely manor... especially breaches.
mac.cole
50%
50%
mac.cole,
User Rank: Apprentice
9/27/2014 | 11:54:00 PM
Re: A short-lived gloatfest
A Future of 'Hair on Fire' bugs suggests that Shellshock , similar to Conficker will be around even after all current living humans are in our graves. It most certainly will never be contained according to that article.
asksqn
50%
50%
asksqn,
User Rank: Ninja
9/27/2014 | 4:52:38 PM
A short-lived gloatfest
I can't help but get the distinct feeling that every Microsoft fanboi on the planet is gloating right about now at the thought that a 'nux OS has a vulnerability.  The difference is, of course, that shellshock, for all of the writeups/FUD I've read about it since it was discovered on the 24th, the fact remains that it is contained.    
stevew928
50%
50%
stevew928,
User Rank: Ninja
9/27/2014 | 3:15:28 PM
Perspective
"It's difficult to say. About 10% of personal computers run Linux or OS X. But then there are servers and Internet-connected devices to consider."

I suppose I agree that such estimations are a bit difficult, but you're certainly quite a bit off here. The actual 'market share' (quarterly sales, etc.) figures for Apple haven't been below 10% for the last decade or two. That's not even considering actual IN USE unit percentages for each OS (for example a typical Windows unit might become a cash register or have Unix loaded on it). A more realistic figure would probably be above 20% (and if we weren't counting boxen in corporations, managed by IT staff, we'd probably be talking 40% or more).

As far as vulnerability, the test you've outlined only shows if you have a 'vulnerable' version, not that you're *actually* vulnerable. For example, on OSX, unless you've turned on command-line remote access or are using some software which is externally available that implements Bash, you'd only be vulnerable to LOCAL attacks (ie: someone sitting at your machine).

So, while this is certainly a serious threat, it's also important to keep it in perspective.
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.