Bashing the Bug: Recap on Shellshock

by Ross Dyer

You’ll have heard of the Bash bug, or the Shellshock vulnerability, which has been dominating information security headlines for most of the past weeks. But the more information piles up the harder it can be to sift through the noise and work out exactly what you should be doing to mitigate the threat.
So let’s take a high-level look at the basics and outline what happened, why and what you should do about it.

Back to basics

Shellshock, or CVE-2014-6271 to give it its full name, is a vulnerability in the extensively used Bash (Bourne Again SHell) command shell. It has been given a severity rating of 10/10 by the US National Vulnerability Database, which has the following description:

“GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.”

Put simply, it allows remote code execution on any systems running Bash versions 4.3 and older. As Bash is used extensively by Linux and UNIX, Mac OS X, ICS/SCADA systems and Internet of Things devices, assume your environment is at risk on several fronts.

What’s most at risk?

The problem with the Bash bug is that it’s been around for over 20 years, which means it could be deeply embedded in your systems. For starters, finding it will be half the battle, patching it the other half.

Currently the biggest risks seem to be older web sites running CGI-scripts using Bash.

Already, researchers have reported seeing the vulnerability exploited to launch botnet attacks, as well as in data exfiltration, malware droppers and backdoors.

There is a caveat. Any attack must focus on Bash itself rather than a particular application, so it may be harder, or more time consuming, for cybercriminals to exploit because each attack needs to be tweaked to be effective.

What next?

That said, with attacks already spotted in the wild there’s no time to waste, so make sure you prioritise the following:

  • Find and update Bash to above version 4.3 – check out Trend Micro’s free protection for Shellshock, as well as our browser extension and device scanners to protect browsers and devices against Shellshock vulnerability risks.
  • Many of the major Linux distributors as well as the likes of Cisco, Apple and others have released or are in the process of releasing software updates. Prioritise systems, brief your sysadmins and stay up-to-date.
  • Trend Micro Deep Security customers must apply the update DSRU14-028 and assign the following rule: 1006256 – GNU Bash Remote Code Execution Vulnerability
  • Attempts to exploit the Shellshock vulnerability on the network can be detected via the following Deep Discovery rule: 1618 – Shellshock HTTP REQUEST

NOTE: Other Trend Micro products (Trend Micro OSCE, IWSVA and Titanium) detect the vulnerability as CVE-2014-6271-SHELLSHOCK_REQUEST.

More information from Trend Micro can be found here.

Leave a Reply

Your email address will not be published. Required fields are marked *