More than six months after Heartbleed captured the internet security industry’s attention, another major bug is making the headlines.
Affecting UNIX and Linux servers, Bash is a serious issue and one that will not be easy to fix. Although some are calling it the next Heartbleed, here is what some of the industry’s finest minds are saying.
Ben Johnson Chief Security Researcher for Bit9 + Carbon Black
“The tricky aspect of this vulnerability is that it isn’t as clear-cut as Heartbleed. With Heartbleed, security professionals primarily needed to see what version of openssl they had and then patch it if necessary.
“With BASH, there may be DHCP servers, web servers and other network-accessible services that use BASH for part of their functionality. Tracking down which ones are actually using BASH and which ones aren’t might be beyond the ability of some system administrators and will certainly be a headache for all.
“Essentially every system should be patched immediately to prevent unauthorized access or unauthorized escalation from occurring against Linux systems. For example, if you attach your laptop to the network and request a dynamic IP address (DHCP), there could be a malicious DHCP server that is able to execute code on your machine simply because you are requesting access to the network. I strongly encourage everyone to patch their systems immediately.”
Troy Gill, senior security analyst of AppRiver
“System administrators are now in a race against the clock to determine if their Linux based systems are in fact vulnerable and to get them patched before the expected surge in effort of those actively exploiting this vulnerability. The vulnerability exists within Bash – which is an extremely common command shell in Linux and UNIX systems, and allows for remote code execution.
“One major element that I believe could cause some issues is the fact that a lot of these users are part of the community that likes to believe that their systems don’t get malware because of the operating systems that they use. While it’s true they are less targeted, they are in no way invulnerable to attack. This could be a case in point if cybercriminals decide to make a move to quickly begin exploiting this vulnerability.
“Today, businesses need to be doing a full review to identify any systems that are vulnerable to ‘Shellshock’ and patch them. Time being a major factor in avoiding any looming attacks.”
Tim Erlin, director of security and risk at Tripwire
“This vulnerability in Bash delivers a kind of double-whammy to the IT security folks responsible for patching systems. The overlap of systems vulnerable to Heartbleed will be very high, and so the systems that are already difficult to patch for Heartbleed will also be difficult to patch for this new vulnerability. It won’t be long before we have a call to action for addressing this because of an actively used exploit.”
Ben Densham, chief technology officer at Nettitude
“Some patches against Shellshock are already being distributed and system administrators should ensure these are tested and installed as and when they are released. It is also extremely
important for organisations to determine first if they are at risk from this vulnerability. Ensure they understand the risks presented and determine the controls they need until your systems can be fully patched.
“The ability to respond effectively if or when they are exploited, relies on the right logs and events/activity being monitored for any suspicious actions.”
Kasper Lindegaard, head of Secunia
“There are multiple attack vectors for Bash, because a lot of organisations will be using Bash in different parts of their systems, and presumably many old devices on networks will be vulnerable.
“GNU, the Open Source project that has developed Bash, is a large and widely used project and should have the resources available to deal with the issue. They have in fact already released a patch – unfortunately it has proved ineffective, and there is therefore no official patch available at this stage. I am, however, expecting GNU Bash to release another patch today due to the criticality of this vulnerability, but the fact that the first patch wasn’t adequate, could indicate that they lack proper security quality assurance of their patches.”
Garve Hays, software architect for identity and access governance at NetIQ
“In the case of CVE-2014-6271, or Shellshock, attackers do not need to reverse engineer any software because this presents a ready-made opportunity – they are essentially getting a ‘free lunch’. Those carrying out Advanced Persistent Threats (APTs) will also now be able to include this vulnerability in their arsenal.
“There is an opportunity for attackers to exploit Bash before organisations roll out their patches, since it is a popular shell. What’s more, Shellshock is set to have a “long tail” effect in a similar way to the Heartbleed bug in that not all servers will be updated and will therefore remain exposed. By June this year, there were still 300,000 servers that had not been patched following Heartbleed, so it’s reasonable to expect similar vulnerabilities to remain in this case.”
Ross Brewer, vice president and managing director for international markets at LogRhythm
“Organisations are going to need to act quickly on this one – it looks as though a huge number of connected devices are at risk. If the flaw is used by hackers, they’re going to have a field day going through confidential information and getting their hands on anything, from usernames and passwords to account numbers and personal data. Clearly the consequences are far-reaching and a lot of individuals and enterprises are likely to suffer.
“Not only can this strategy be implemented with relative speed – which really is of the essence – but as these solutions alert on any suspicious activity immediately, organisations are in a far better position to react and contain the threat before it causes any lasting damage.
Toyin Adelakun, VP of products at Sestus
“Bash is a powerful shell, and its support for ‘here documents’, for example, means that this vulnerability could, if exploited, allow attackers to run arbitrary code on the compromised computer. Bash has been popular for most of its 25-year existence, and its persistence and ubiquity add up to a pervasiveness that raises both the likelihood and the impact of risks associated with this vulnerability.
“The risks are of attackers executing arbitrary code on Unix system
s, or illicitly modifying, adding or deleting data on such systems. To mitigate those risks, the urgent advice is to immediately patch or update the bash software. That applies both to servers as well as clients (i.e. individuals’ systems) such as Apple MacBooks and Mac Pro desktop computers. Because they affect both client and server computers, and because they could lead to data leakage directly from computers, these risks do indeed potentially surpass those of the Heartbleed bug.”
Mark James, security expert at ESET
“The concern is that Apache, which is used in more than 50 per cent of web servers, will use BASH to execute scripts for dynamic content and thus could be compromised to launch code on your server. An unpatched system could leave your server wide open and vulnerable to attack.
“What should you do now? Firstly run a command line test, then patch your systems. Check for any updates then check again, run the script and ensure you get the warnings. If you still don’t, then you should update BASH to the latest version manually. Also please keep an eye on network traffic, take this opportunity to tighten control on any non-essential services and turn them off.”
Gavin Millard, EMEA technical director at Tenable
“Unfortunately, due to the ease of exploit, ShellShock is a prime candidate for a worm. We could be looking at another SQL Slammer like worm but instead of 100,000 servers being affected, it could be more like 100,000,000, which would be catastrophic.
“Every organisation should be scanning for this vulnerability today and patching everything they can. On a scale of 1-10, 10 being critical, this bug is an 11 and should be treated as such.”
Tom Cross, director of security research at Lancope
“It will take a long time for all of the implications of the Shellshock vulnerability to come to light. The most obvious vulnerable systems will be patched over the next few days, but there will be corner cases, particularly where Linux is used in appliances and embedded devices, where the vulnerability will linger on for a long time.
“Shellshock is particularly concerning in the context of Industrial Control Systems and SCADA, where there may be many vulnerable devices that are difficult to upgrade. Earlier this year, a sophisticated waterhole attack targeted users of a variety of industrial control systems and industrial cameras. Those attackers now have an entirely new attack vector to explore.”
Richard Cassidy, senior solutions architect at Alert Logic
“We have to take stock of when BASH was first developed, and that security issues are still widely related to the fact that developers aren’t (and in most cases can’t) able to test their code against all conditions, variables and security related scenarios. The specific vulnerability found does require a specific set of conditions to be met.
“We need to look at this in context; yes it’s a vulnerability and organisations should absolutely take steps to apply those patches currently being released; but to be exploited with this vulnerability we’d be looking in most instances at a very targeted attack, as opposed to an opportunistic “script-kiddie” one.”