On Wednesday, AusCERT and MalwareMustDie reported that Shellshock is being exploited in the wild. Shellshock is the name given to a vulnerability that exists in GNU Bash versions 1.14 through 4.3.
Given the reach of GNU Bash itself, combined with the sheer volume of devices and applications that rely on it, Shellshock is likely going to be larger than Heartbleed.
"This bug is certainly significant. It is difficult to say whether it’s truly bigger than Heartbleed. From my perspective, Heartbleed was a bit more troubling due to the affected component and the massive usage of SSL," commented Flavio De Cristofaro, from Core Security.
Primarily, the vulnerability will be easily found on web servers, however CentOS versions 5-7, Ubuntu 10.04, 12.04, and 14.04 (all LTS versions), Debian, Mac OS X, and Red Hat Enterprise Linux 4-7, are all vulnerable.
"The exploitation of this vulnerability relies on bash functionality somehow being accessible from the Internet. The problem with bash is that it's used for everything. On a Linux-based system, bash is the default shell and anytime a web-enabled process needs to call a shell to process input, run a command (such as ping, or sed, or grep, etc.), it will call bash," commented Daniel Ingevaldson, CTO of Easy Solutions.
"This vulnerability allows a remote attacker to inject his command into bash via an environment variable. [Such commands] can download a password file, run a remote shell, or really do anything that the attacker wants very, very easily."
Once the problem was disclosed, all of the major Linux / Unix vendors (aside from Apple) pushed patches to the public. However, not all of them were fully functional. On Thursday, Red Hat warned users that the previously released patch for the problem wasn't complete. Despite this setback, they still encouraged users to apply it instead of waiting for additional updates.
The reach of GNU Bash is something that's been debated since the issue came to light earlier this week. Thousands of web applications have been proven vulnerable, simply because they rely on GNU Bash (/bin/sh) to access stored data via environment variables. However, it’s suspected that Shellshock could impact millions of websites and devices across the web.
Embedded devices also mean that desktops, tablets, and other platforms are suspect, because if GNU Bash is present, then it is legacy code, and those devices were likely shipped without any means of updating.
In fact, it’s highly likely they were developed without security in mind, because no one thinks they'll have to patch a light bulb, thermostat, or streaming media center.
Users must patch, De Cristofaro added. The general recommendation is that users should check to see if they are running CGI, which makes exploiting the issue easier remotely, but that isn't the only way to tell if a system is vulnerable; and the absence of CGI doesn't negate the need for a fix.
"That is absolutely not enough. C++, Python, PHP and every other application that makes Bash calls are affected. Other applications supporting DHCP, SSH (restricted shell) may be also affected, not only from a remote attack but also from a local privilege escalation perspective. Putting aside Unix/Linux distributions, companies will face significant challenges if they need to patch old systems or systems based on embedded devices like cameras, routers and ICS if they are running Bash."
As the days progress, it’s likely that attacks leveraging this bug will go after surfaces that are known (web servers and networks) as well as seemingly random surfaces that are completely unexpected (IoT). Moreover, it’s possible that this process will be automated, as one researcher has discovered that Shellshock is Wormable.
For now, the upside for administrators is that this vulnerability, if attempts at exploitation are made, is noisy and easily logged.
Update:
Proof-of-Concept code for using Shellshock to target DHCP has been released, adding yet another layer to the attack surface on this bug.
