In short, this is potentially a “plague-like” vulnerability that can exploit command access to Linux-based systems constituting approximately 51 percent of web servers in the world. Because of the pervasiveness, attacks against it could “grow” at a very fast pace. The recent Heartbleed vulnerability is similar in nature to Shellshock, but Heartbleed is dwarfed by the extent and reach of this new vulnerability.
Due to the widespread nature of Shellshock – the action listed below should be taken for the following:
- -End-user: watch for patches and implement them immediately
- -IT Admin: if you have Linux, disable BASH scripting immediately
- -Website operator: If BASH is in the script, patch asap, or rescript away from BASH
- -Hosting co. customer: Ask your provider they’re doing to remedy and apply patches accordingly
Security experts from NetIQ also strongly urge companies to identify all sensitive, Internet-facing servers and conduct a patch analysis in light of the Shellshock bug. According to Geoff Webb, Senior Director, Solution Strategy at NetIQ, in cases where patch records are difficult to obtain or nonexistent, it is then time for “boots on the ground.” Security officers or administrators can perform a quick test on a server or appliance to see if it is vulnerable.
The following simple script may be executed from a Bash command prompt. If the message “This system is vulnerable” appears, the server must be patched immediately or disconnected from the Internet until maintenance can be performed. In the example above, I have demonstrated a vulnerable system. If the system has already been patched, then it would report something like the following:
- bash: warning: myvar: ignoring function definition attempt
- bash: error importing function definition for `myvar’
- Test for Shellshock:
The test above does not scale to hundreds of servers or more. This is where an investment in a patch management and automation system or vulnerability remediation tool pays for itself.
Bogdan Botezatu, Senior E-Threat Analyst at Bitdefender suggests while most operating system vendors have already issued a partial fix to make attacks more difficult to implement, this is not a complete fix but rather a barrier to buy vendors more time to find a universal solution.
“A significant part of the Internet is running a Linux or UNIX-based version of an operating system that includes the bash shell. These UNIX-based web servers often run CGI scripts that rely on bash for functionality, therefore any attack against these scripts could result in exploitation and subsequently, could allow a hacker to remotely own the machine,” says Mr Botezatu.
“Additionally, attacks against web servers are very easy to implement and carry. The typical attack scenario involves an automated tool that tries to access CGI scripts and pass the environment variable as User-Agent (a string that tells the webserver what type of browser is being used on the other end so that the server knows how to format data before sending it).”
Bogdan advises that workstations (such as Mac OS X computers) and embedded Linux devices can also be subverted via bash attacks if specific prerequisites are met i.e. the attacker resides on the same network as the victim device.
It is recommended that those with vulnerable systems update the operating system immediately and then check back to see if there is a complete fix available.