The national news will be dominated by a four letter word for the next few days and, until yesterday, it is not one we would usually use.
Call it Shellshock or Bash, the flaw has been described as being as bad as Heartbleed, or even not as bad, depending on who you listen to. Essentially, the flaw affects UNIX and Linux users and, therefore, the underlying internet infrastructure. If you can get administrator control of the server, you can take complete control over a targeted system.
Now are you taking it seriously? According to vulnerability management vendor Rapid7, the flaw (CVE-2014-6271) “is potentially a big deal” as it is given the maximum CVSS score of ten for impact and ease of exploitability and the affected software, Bash (the Bourne Again SHell), is present on most Linux, BSD and Unix-like systems, including Mac OS X.
Like all responsibly disclosed flaws, patches are available, but investigations by Red Hat made it clear that the patched version may still be exploitable, and at the very least can be crashed due to a null pointer exception.
So is it as bad as Heartbleed, and will I be making references to Bash in six months time? Rapid7 said that some factors are worse, but the overall picture is less dire.
“This vulnerability enables attackers to not just steal confidential information as with Heartbleed, but also to take over the device or system and execute code remotely,” it said in a blog. “From what we can tell, the vulnerability is most likely to affect a lot of systems, but it isn’t clear which ones, or how difficult those systems will be to patch. The vulnerability is also incredibly easy to exploit. Put that together and you are looking at a lot of confusion and the potential for large-scale attacks.”
Comments seen by this journalist seem to classify this as a major concern that will get security administrators “scrambling” to fix as quickly as possible. Media headlines will undoubtedly add to that panic.
In terms of the better advice, Ian Pratt, co-founder at Bromium, said this was a big deal as, not only will it impact large numbers of internet-facing systems, but it has been around for many years as it is frequently used as the ‘glue’ to connect software components used in building applications.
He said: “Vulnerable network-facing applications can easily be remotely exploited to allow an attacker to gain access to the system, executing with the same privilege the application has. From there, an attacker would attempt to find a privilege escalation vulnerability to enable them to achieve total compromise.
“Bash is part of the infrastructure, something so pervasive that many systems administrators wouldn’t necessarily even know that the security of their applications depend on it. Any applications known to be using CGI scripts that call system or popen are at particularly risk — many php, perl and python scripts will fall into this category. Some python modules call os.system without the application doing so explicitly.”
Pratt said that simply disabling Bash is not an optio
n, though it could help to change applications’ default shell to some other Bourne shell compatible shell such as ‘sh’ or ‘dash’, however if an application invokes Bash explicitly, it will still be vulnerable.
So it is the glue binding the internet together, and Pratt said that as a “very complex and feature-rich piece of software”, but it is intended for interactive use by power users, and it does more than is typically required for the additional role for which it is often employed in gluing components together in applications.
Pratt said that this presents “an unnecessarily broad attack surface”, again presenting a serious issue. Kevin Epstein, vice president of information, security and governance at Proofpoint, also commented that initial indications are that the flaw has been present for a longer period than Heartbleed, and is in a more general-use area of the code.
“Correspondingly, this vulnerability will likely be more widespread and in code that’s no longer being maintained, such as legacy routers and network attached storage devices,” he said. “Clearly this has wider security implications than Heartbleed, and suggests need for additional incremental layers of security as well as patches.”
If it wasn’t serious we wouldn’t be writing about it, the experts would not be talking about it and you would not be reading about it. It is serious, but like with Heartbleed, let’s hope the industry comes together to try and bring a fix and prevent such an issue from recurring in six months or further into the future.