Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

'Bigger than Heartbleed' Shellshock flaw leaves OS X, Linux, more open to attack

Brad Chacos | Sept. 26, 2014
The good news: Patches are already rolling out. The bad news: This devastating vulnerability could be around for a long, long time.

Well, this isn't good. Akamai security researcher Stephane Chazelas has discovered a devastating flaw in the Unix Bash shell, leaving Linux machines, OS X machines, routers, older IoT devices, and more vulnerable to attack. "Shellshock," as it's been dubbed, allows attackers to run deep-level shell commands on your machine after exploiting the flaw, but the true danger here lies in just how old Shell Shock is-this vulnerability has apparently been lurking in the Bash shell for years.

Why this matters: A large swath of the web-connected devices, web servers, and web-powered services run on Linux distributions equipped with the Bash shell, and Mac OS X Mavericks is also affected. The fact that Shellshock's roots are so deep likely means that the vulnerability will still be found in unpatched systems for the foreseeable future-though the odds of it directly impacting you appear somewhat slim if you use standard security precautions.

Update: Security researchers are already finding evidence of the Shellshock Bash bug being exploited in the wild, according to ZDNet. One exploit attempts to install a denial-of-service attack bot and guess the login information for affected servers using a list of commonly used passwords.

Heartbleed redux
The news comes as the security community is just shaking off the effects of Heartbleed, a critical vulnerability in the widely used OpenSSL security protocol. "Today's bash bug is as big a deal as Heartbleed," says Errata Security's Robert Graham, a respected researcher.

Hold your horses, Robert. Before we dive into dire warnings, let's focus on the positive side of this story. Numerous Linux variants have already pushed out patches that plug Shellshock, including Red HatFedoraCentOSUbuntu, and Debian, and big Internet services like Akamai are already on the case.

But Graham says Shellshock's danger will nevertheless linger for years, partly because "an enormous percentage of software interacts with the shell in some fashion"-essentially making it impossible to know exactly how much software is vulnerable-and partly because of the vulnerability's age.

"Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed."

Now consider that more than two months after Heartbleed was disclosed, hundreds of thousands of systems remained vulnerable to the exploit.

Maybe not Heartbleed redux?
But don't panic! (Or at least not yet.) While Heartbleed had the potential to be widely exploited, Jen Ellis of security firm Rapid7 says the Shellshock bug's outlook isn't quite as grim, even if it is rampant.

"The vulnerability looks pretty awful at first glance, but most systems with Bash installed will NOT be remotely exploitable as a result of this issue," Ellis writes. "In order to exploit this flaw, an attacker would need the ability to send a malicious environment variable to a program interacting with the network and this program would have to be implemented in Bash, or spawn a sub-command using Bash."

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.