Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Network Security / Shellshock Attacks Already Found
Reports: Shellshock Attacks Already Uncovered
Reports: Shellshock Attacks Already Uncovered
By Linda M. Rosencrance / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Hackers have already launched attacks aimed at exploiting the Shellshock Bash bug, according to Security researchers at AusCERT and MalwareMustDie. That means administrators should patch vulnerable systems as soon as possible.

Shellshock is the name given to a vulnerability that exists in GNU Bash (Bourne-Again Shell) versions 1.14 through 4.3. Unix and Linux systems -- as well as the Mac OS X (which also uses bash) -- are at risk from the bug in Bash, a commonly used command interpreter, according to U.S. CERT (Computer Emergency Readiness Team). The U.S. National Vulnerability Database rated Shellshock 10/10 for severity with a complexity rating of "low," meaning it is very easy to exploit.

The Bash bug has the potential to be bigger than the Heartbleed vulnerability, which has gone down in security history as one of the worst bugs ever. Heartbleed only affected a specific version of OpenSSL. But the Bash bug has been around for a long time, which means lots of old devices on the network are vulnerable. And that means the number of systems that need to be patched -- and probably won't be patched -- is a lot larger than the fallout from Heartbleed.

First Patch Didn't Patch

"US-CERT is aware of a Bash vulnerability affecting Unix-based operating systems such as Linux and Mac OS X. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system," the agency said, adding that a patch was initially issued but didn't fully address the problem. "MITRE later assigned a patch to cover the remaining problems after the application of the first patch."

The agency recommended that users and administrators review TA14-268A, Vulnerability Note VU#252743 and the Red Hat Security Blog for additional details as well as refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch. "A GNU Bash patch is also available for experienced users and administrators to implement," the agency said.

Failure of Open-Source Community?

Chris Stoneff, director of Professional Services at Lieberman Software, told us the blame for the lack of insight into the Bash vulnerability rests squarely on the shoulders of the open-source community.

"I see this as a failure in the mindset of the open source community where everyone waits for everyone else to do something or find something," Stoneff told us. "One of the interesting things happening with so much bashing of closed source projects like Microsoft and the embrace of more open software like Linux and OSX is how much visibility Linux and OS X have gained in recent years to would-be attackers."

It has shone a light on one of the biggest lies perpetrated on people: we are not vulnerable because we don't use Microsoft, he said. "Well, the proof is now here and it's time for Linux and OSX and UNIX to take some heat."

Stoneoff said the scary -- or maybe scarier -- part is that the Bash bug has been around for some time, but the first round of patches for Shellshock are not fixing the problems of unauthenticated scripts gaining privileged access to data and services.

"Given the nature of the patch and the wide variety of servers it affects -- especially web servers -- I expect we will see another round of highly publicized data theft and public shaming," Stoneoff said. "Many home devices including cable boxes, routers, NAS devices, and of course enterprise and Internet connected devices and services all make use of Linux/UNIX running a Bash shell. It is not insignificant."

Every Linux, Apple Server Vulnerable

Heartbleed was dangerous because it struck at a part many people used in their systems, Jonathan Sander, Strategy & Research Officer, STEALTHbits Technologies, told us. "Shellshock strikes at a part that anyone running on Linux or Apple servers must have on their system.

Bash is a part that's built in, unless you take great pain to take it out, he said That means every Linux and Apple server is potentially vulnerable. "That includes millions of embedded devices that are not likely to get attention any time soon," Sander told us. "It's going to be another race to the patches for administrators."

'If, When' Is Now

Kyle Kennedy, CTO, STEALTHbits Technologies told us that for years users of Linux software have watched consumers react to reported security exploits in other operating systems wondering "if and when" a major event will unfold for them.

"A number of those users have woken up this morning 'shellshocked' due to the reported Bash bug security vulnerability," he said. Bash is software widely used to control the command prompt on many Linux systems. Reports claim that hackers can exploit a bug in Bash and take complete control of a targeted system. Heartbleed was big --but Heartbleed just allowed a hacker to spy on computers -- not take control of them."

Using the Bash vulnerability an attacker can potentially take over the operating system and gain full access to the host system, Kennedy said. This means an attacker not only controls the host but they have access to everything on that host -- sensitive information, confidential information, intellectual property, customer data, financial data -- the list goes on -- including the ability to make changes to the host.

Kennedy noted that the method of exploiting this issue is quite simple -- it doesn't require sophisticated attack methodologies. Essentially cutting and pasting a line of code can provide a cybercriminal very good results with minimal effort.

"Shellshock should shock every be start deploying the patch immediately to any system using Bash. Let the fun begin -- again," he said.

Maybe Some Good News

"Basically this vulnerability allows an attacker to perform remote code execution attacks on any server using the Bash shell," David Jacoby, senior security researcher at Kaspersky Lab, told us. "Unfortunately, use of this shell is widespread -- it is used in many server products, including those powering Web sites."

The real scale of the problem is not yet clear, he added. But it's almost certain that hackers and security researchers are testing Web services and Linux software right now and the results of these tests will probably be published in the coming days.

"The good news is that vendors of some of the most popular products affected by the vulnerability have already prepared patches that could at least partially eliminate the problem," Jacoby told us. "Now it is up to administrators managing vulnerable systems --how quickly they react and update vulnerable software."

Tell Us What You Think


Posted: 2014-09-29 @ 6:37am PT
@David, of course it can. The fact that hackers and viruses are targeting Linux and osx is something that the MS folks always knew would happen. NO os is safe. What can be made can be unmade.

Posted: 2014-09-27 @ 3:40pm PT
BTW, embedded systems don't use BASH shell as this shell requires more memory but instead use Bourne shell (sh) which is not affected.

To test if your shell is affected, try this at your shell prompt:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you get the output below, you are affected.

this is a test

Posted: 2014-09-26 @ 2:49am PT
I went to the GNU ftp site, downloaded patched bash, compiled it, and I am safe. 4 hours after hearing of the bug, I am safe. Can closed-source software do that? No.

Like Us on FacebookFollow Us on Twitter
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.