Security Advisor
Millions of Systems and Devices Vulnerable to Bash 'ShellShock' Flaw
The 25-year-old flaw, which was just discovered on Wednesday, leaves systems running Linux and Mac OS X open to remote code execution attacks.
Security experts have discovered in the Bourne Again Shell (Bash), used in the Unix-based open source platform that could leave Linux and OS X system and connected devices like routers and webcams vulnerable to attack. Also, the flaw leaves a huge hole in an estimated half of all Web sites running on affected servers.
Discovered and disclosed by security researcher Stephane Chazelas late Wednesday night, the Bash shell vulnerability, called "ShellShock," could potentially affect more systems than April's Heartbleed flaw disclosure. While Heartbleed could allow attackers to extract information from targeted systems, ShellShock could lead to systems being completely taken over.
"Basically this vulnerability allows an attacker to perform remote code execution attacks on any server using the Bash shell," commented David Jacoby, Senior Security Researcher at Kaspersky Lab. "Unfortunately use of this shell is widespread -- it is used in many server products, including those powering Web sites."
Shortly after the flaw was discovered, GNU released a patch for its OS. However, according to Red Hat, the fix did not fully take care of the issue and the firm expects GNU to release a more effective patch sometime today.
And there's worse news: less than 24 hours since the ShellShock disclosure, researchers are already seeing exploits in the wild. Security researcher "Yinette" reported the first known exploit of the bug late last night, which includes functionality for denial of service (DDoS) attacks and automated brute force password hacks.
While there are no words on when a permanent fix for Linux and Apple users are coming, it is recommended that IT keep an eye out for when they are released and patch immediately. In the meantime it's recommended IT keep an eye out for possible network attacks that may attempt to breach firewall defenses.
Due to Windows OS and Windows Servers not using the Bash shell, ShellShock is not a direct threat to Microsoft hardware and software. But that doesn't mean Windows Shops are in the clear. Microsoft MVP Troy Hunt discussed in a blog concerning ShellShock that Windows shops are rarely ever 100 percent windows.
"There are non-Microsoft components sitting in front of their Microsoft application stack, components that the traffic needs to pass through before it hits the web servers," wrote Hunt. "These are also components that may have elevated privileges behind the firewall -- what's the impact if Shellshock is exploited on those? It could be significant and that's the point I'm making here; Shellshock has the potential to impact assets beyond just at-risk Bash implementations when it exists in a broader ecosystem of other machines."
Just like Heartbleed, the ShellShock flaw going unnoticed for decades has allowed it to lay dormant in numerous connected devices. Robert Graham, security expert for Errata Security, commented on when flaws like these are discovered, it's embarrassing for IT members who have worked in close proximity of the code for years.
"So we've known for 20 years that this is a problem, so why does it even happen? I think the problem is that most people don't know how things work," wrote Graham. "Like the IT guy 20 years ago, they can't look at it and immediately understand the implications and see what's wrong. So, they keep using it. This perpetuates itself into legacy code that we can never get rid of. It's mainframes, 20 years out of date and still a 50-billion dollar a year business for IBM."