Shellshock: Be Wary, But Don't Panic

Hundreds of millions are vulnerable to Shellshock. How many are exploitable?

A new bug was reported that you may have heard about. Shellshock, also known as the Bash Bug, is a software vulnerability that could make your systems vulnerable.

In terms of impact, exploitability, and severity the National Institute of Standards and Technology (NIST) rates this bug a 10 out of 10.

Why is this happening?

The default command shell on Linux, Unix, and Mac systems is called Bash. Bash translates your commands into a language the operating system can understand. For decades, this vulnerability has existed inside Bash. On September 24, a security researcher publicly announced it for the first time.

Who is affected?

Most non-Windows operating systems (e.g., Linux, Unix, and MacOS) used by computers, routers, websites, servers, etc. are vulnerable. Some Windows operating systems can be affected if their users have installed Bash.

What does Shellshock allow hackers to do?

Shellshock opened a way for attackers to take full control of your computer or server by injecting malicious requests into the Bash command process. That means if a hacker does happen to exploit this vulnerability, they can install malware to scrape your data, modify system settings, access databases, run programs, etc.

But, don’t panic quite yet. There is a difference between vulnerability and exploitability. Just because you are vulnerable, doesn’t necessarily mean attackers can access your systems. Thus far, only isolated instances of exploitability have been discovered.

See also: SecurityMetrics PCI Guide‍

“The extensiveness of the remote exploitability of Shellshock is yet unknown,” said Chad Horton, Penetration Test Manager at SecurityMetrics. “Initial research suggests this vulnerability will be most severely exploited from attackers located on the same local area network (LAN) as the victim. Which, while severe, is less of an impact than remotely exploitable vulnerabilities.”

How do I fix Shellshock?

The bad news is, there’s no complete fix…yet. Some patches have been released, but have since been reported as incomplete. For now, it’s a waiting game. Only after vendors issue patches to their software can users work to stop the Shellshock vulnerability on their systems.

How to protect against Shellshock

• Install any software updates as soon as they are released (You may even have to patch the same system multiple times this week, as many patches will be released)
• Run vulnerability scans often. (Know that vulnerability scans will not be 100% accurate within the next couple weeks because it’s very likely more exploits will be found)
• Check with your vendors to make sure they’re actively working on patches. (Some vendors have already invested time into making sure their systems are secure against Shellshock. For example, Check Point and SonicWALL)

See also: Vulnerability scanning, the easiest way to predict how hackers might get into your system

Command line test for Shellshock

To mitigate exploit potential, it’s best practice to ensure daemons are running with the least amount of privileges required to perform necessary functions. Keep in mind, using root to run a daemon is never a good idea.

Here’s a command line test to see if your system is vulnerable.

Enter the following command:

env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'

If the system is vulnerable, the output will be:

vulnerable

this is a test

An unaffected (or patched) system will output:

bash: warning: x: ignoring function definition attempt

bash: error importing function definition for `x’

this is a test

See also: Ghost Vulnerability Test