Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Monday, 25 September, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Bash – the four letter word terrorising security

by The Gurus
September 25, 2014
in Opinions & Analysis
Share on FacebookShare on Twitter

The national news will be dominated by a four letter word for the next few days and, until yesterday, it is not one we would usually use.
 
Call it Shellshock or Bash, the flaw has been described as being as bad as Heartbleed, or even not as bad, depending on who you listen to. Essentially, the flaw affects UNIX and Linux users and, therefore, the underlying internet infrastructure. If you can get administrator control of the server, you can take complete control over a targeted system.
 
Now are you taking it seriously?  According to vulnerability management vendor Rapid7, the flaw (CVE-2014-6271) “is potentially a big deal” as it is given the maximum CVSS score of ten for impact and ease of exploitability and the affected software, Bash (the Bourne Again SHell), is present on most Linux, BSD and Unix-like systems, including Mac OS X.
 
Like all responsibly disclosed flaws, patches are available, but investigations by Red Hat made it clear that the patched version may still be exploitable, and at the very least can be crashed due to a null pointer exception.
 
So is it as bad as Heartbleed, and will I be making references to Bash in six months time? Rapid7 said that some factors are worse, but the overall picture is less dire.
 
“This vulnerability enables attackers to not just steal confidential information as with Heartbleed, but also to take over the device or system and execute code remotely,” it said in a blog. “From what we can tell, the vulnerability is most likely to affect a lot of systems, but it isn’t clear which ones, or how difficult those systems will be to patch. The vulnerability is also incredibly easy to exploit. Put that together and you are looking at a lot of confusion and the potential for large-scale attacks.”
 
Comments seen by this journalist seem to classify this as a major concern that will get security administrators “scrambling” to fix as quickly as possible. Media headlines will undoubtedly add to that panic.
 
In terms of the better advice, Ian Pratt, co-founder at Bromium, said this was a big deal as, not only will it impact large numbers of internet-facing systems, but it has been around for many years as it is frequently used as the ‘glue’ to connect software components used in building applications.
 
He said: “Vulnerable network-facing applications can easily be remotely exploited to allow an attacker to gain access to the system, executing with the same privilege the application has. From there, an attacker would attempt to find a privilege escalation vulnerability to enable them to achieve total compromise.
 
“Bash is part of the infrastructure, something so pervasive that many systems administrators wouldn’t necessarily even know that the security of their applications depend on it. Any applications known to be using CGI scripts that call system or popen are at particularly risk — many php, perl and python scripts will fall into this category. Some python modules call os.system without the application doing so explicitly.”
 
Pratt said that simply disabling Bash is not an optio
n, though it could help to change applications’ default shell to some other Bourne shell compatible shell such as ‘sh’ or ‘dash’, however if an application invokes Bash explicitly, it will still be vulnerable.
 
So it is the glue binding the internet together, and Pratt said that as a “very complex and feature-rich piece of software”, but it is intended for interactive use by power users, and it does more than is typically required for the additional role for which it is often employed in gluing components together in applications.
 
Pratt said that this presents “an unnecessarily broad attack surface”, again presenting a serious issue. Kevin Epstein, vice president of information, security and governance at Proofpoint, also commented that initial indications are that the flaw has been present for a longer period than Heartbleed, and is in a more general-use area of the code.
 
“Correspondingly, this vulnerability will likely be more widespread and in code that’s no longer being maintained, such as legacy routers and network attached storage devices,” he said. “Clearly this has wider security implications than Heartbleed, and suggests need for additional incremental layers of security as well as patches.”
 
If it wasn’t serious we wouldn’t be writing about it, the experts would not be talking about it and you would not be reading about it. It is serious, but like with Heartbleed, let’s hope the industry comes together to try and bring a fix and prevent such an issue from recurring in six months or further into the future.

FacebookTweetLinkedIn
ShareTweet
Previous Post

44CON 2014

Next Post

The Bash/Shell Shock flaw – industry views

Recent News

The Journey to Secure Access Service Edge (SASE)

The Journey to Secure Access Service Edge (SASE)

September 22, 2023
WatchGuard

WatchGuard acquires CyGlass for AI-powered network anomaly detection

September 21, 2023
'open' sign on window ledge

SME Cyber Security – Time for a New Approach?

September 21, 2023
Keeper Security Logo

Keeper Security Named a Market Leader in Privileged Access Management (PAM) by Enterprise Management Associates

September 21, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information