The Channel logo


By | John Leyden 25th September 2014 17:59

Hackers thrash Bash Shellshock bug: World races to cover hole

Update your gear now to avoid early attacks hitting the web

Sysadmins and users have been urged to patch the severe Shellshock vulnerability in Bash on Linux and Unix systems – as hackers ruthlessly exploit the flaw to compromise or crash computers.

But as "millions" of servers, PCs and devices lay vulnerable or are being updated, it's emerged the fix is incomplete.

The flaw affects the GNU Bourne Again Shell – better known as Bash – which is a widely installed command interpreter used by many Linux and Unix operating systems – including Apple's OS X.

It allows miscreants to remotely execute arbitrary code on systems ranging from web servers, routers, servers and Macs to various embedded devices that use Bash, and anything else that uses the flawed open-source shell.

An attacker needs to inject his or her payload of code into the environment variables of a running process – and this is surprisingly easy to do, via Apache CGI scripts, DHCP options, OpenSSH and so on. When that process or its children invoke Bash, the code is picked up and executed.

The Bash flaw – designated CVE-2014-6271 – is being exploited in the wild against web servers, which are the most obvious targets but not by any means the only machines at risk.

Patches released on Wednesday by Linux vendors, the upstream maintainer of Bash, and others for OS X, blocked these early attacks, but it's understood they do not completely protect Bash from code injection via environment variables.

New packages of Bash were rolled out on the same day, but further investigation made it clear that the patched version is still exploitable, and at the very least can be crashed due to a null-pointer exception. The incomplete fix is being tracked as CVE-2014-7169.

Red Hat, at time of writing, is urging people to upgrade to the version of Bash that fixes the first reported security hole, and not wait for the patch that fixes the secondary lingering vulnerability – designated CVE-2014-7169.

"CVE-2014-7169 is a less severe issue and patches for it are being worked on," the Linux maker said.

Meanwhile, although Ubuntu and other Debian-based distros have moved to using the non-vulnerable Dash over Bash, the latter may well be present or in use by user accounts. Above all, check what shell interpreters are installed, who is using them, and patch CVE-2014-6271 immediately.

The above code can be used to drop files onto patched systems and execute them, as explained here. Completely unpatched servers and computers can be exploited to open reverse command shells – a backdoor, basically – or reboot them (or worse) if they connect to a malicious DHCP server.

The main CVE-2014-6271 flaw was discovered by Stephane Chazelas before it was responsibly disclosed. A Metasploit module leveraging the bug is already available. A blog post by Metasploit developers Rapid7 explains the grim state of play.

Bigger than Heartbleed? Yes, it is

Secunia warns that Shell Shock is "bigger than Heartbleed" because it enables hackers to execute commands to take over servers and systems. Heartbleed, by contrast, leaked users' passwords and other sensitive information, and did not allow third parties to directly hijack affected systems.

"Compared to Heartbleed, the vulnerability in OpenSSL from earlier this year, Bash is worse: Heartbleed 'only' enabled hackers to extract information. Bash enables hackers to execute commands to take over your servers and systems," explained Kasper Lindegaard, head of vulnerability intelligence specialist Secunia’s research team.

The National Institute of Standards and Technology (NIST) rates the flaw as 10 out of 10 in terms of severity, particularly as it is relatively simple to exploit. It’s rated at the maximum CVSS score of 10 for impact and ease of exploitability.

Ben Johnson, chief security researcher for Bit9 + Carbon Black, added: "The tricky aspect of this vulnerability is that it isn’t as clear-cut as Heartbleed. With Heartbleed, security professionals primarily needed to see what version of OpenSSL they had and then patch it if necessary.

"With Bash, there may be DHCP servers, web servers, and other network-accessible services that use Bash for part of their functionality. Tracking down which ones are actually using Bash and which ones aren't might be beyond the ability of some system administrators and will certainly be a headache for all."

Joe Hancock, cyber security specialist with Lloyd’s of London insurance syndicate AEGIS London, commented: "The bug has existed for over 25 years in the Bash software, making it exceptionally pervasive. An exploit for the vulnerability was released within hours of the bug being announced, which directly enables the targeting of vulnerable web servers."

Simon Edwards, senior security consultant at Damballa, said web servers were most at risk, even though all manner of computing kit is potentially vulnerable. Even though smaller embedded devices tend to run BusyBox Linux, which doesn't use Bash, many bits of gear – various printers, switches and so on – are using Bash.

"The new bash vulnerabilities are certainly very serious, and have an impact on many different types of systems, from straightforward Unix servers, to routers and industrial control systems using Unix as a back end," Edwards explained.

"However the vulnerability only works by sending the bash process (the most popular of Unix shells) malicious instructions via another application. In the case of an SSH login, this means that the attacker would need to have successfully authenticated first, and then the malicious code can be injected into the Bash shell.

"So the real issue is more in the other applications, like CGI scripts on web servers, which could be manipulated to inject the code as part of their usual process. The point is that these attacks only work in combination with other attack vectors; and as with malware infections, multiple methods are required to compromise a system."

Party like it's 1999 – this is going to turn into a worm

Tenable's EMEA technical director Gavin Millard warned that the vulnerability can be exploited by worms that infect machine after machine after machine as they crawl through the internet – just like Slammer, Blaster and others floored Windows servers years ago.

"The potential for attackers utilizing Shell Shock is huge with millions of Unix and Linux servers vulnerable," Millard warned.

"The major concern of Shell Shock is the staggering amount of systems that have Bash installed – almost every Unix platform and many of the 'Internet of Things' devices we now have in our homes and businesses.

"Unfortunately, due to the ease of exploit, Shell Shock is a prime candidate for a worm. We could be looking at another SQL Slammer-like worm but instead of 100,000 servers being affected, it could be more like 100,000,000, which would be catastrophic.

"Every organisation should be scanning for this vulnerability today and patching everything they can. On a scale of one-10, 10 being critical, this bug is an 11 and should be treated as such."

Even putting aside the nightmare of a worm outbreak, the impact of Shell Shock is potentially huge. Darien Kindlund, director of threat research at FireEye, described the bug as "horrible."

"It's worse than Heartbleed, in that it affects servers that help manage huge volumes of internet traffic," Kindlund said.

"Conservatively, the impact is anywhere from 20 to 50 per cent of global servers supporting web pages. Specifically, this issue affects web servers using GNU Bash to process traffic from the internet. In addition, this bug covers almost all CGI-based web servers, which are generally older systems on the internet." ®

comment icon Read 148 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe