Shellshock BASH vulnerability – our take

2nd October 2014

The hot news of the last few days has been the discovery of a major vulnerability in the BASH command shell. The BASH shell is hugely prevalent and is used on a massive number and quantity of operating systems and devices. Pretty much all flavours of Linux, Android, Mac OSX and numerous other systems all use BASH.

So, how serious is this discovered vulnerability? In one word, massively. In two words, worrying massively. The issue that has been uncovered basically allows an attacker to run remote commands on the affected device and potentially get it to do anything they like. For example – restart, format a hard disk, copy some files to an external server. All very, very, very bad news.
In this manner, it is actually worse than the well documented Heartbleed issues of a few months ago. Whilst Heartbleed was also extremely serious the issues it caused allowed data on the impacted device to be accessed, not for commands to be run. Shellshock in this regard, is pretty much as bad as it gets.

The Shellshock issue reaches new levels of seriousness because of the wide variety of platforms that utilise BASH. Web Servers. Infrastructure devices like routers, switches and firewalls. Other platforms that make use of Linux operating systems including telephony servers. Everybody will have at lease one device that is potentially vulnerable. Many large customers will have hundreds or thousands.

So what do we do about it? The simple answer is patch the impacted systems with fixed software. However, this is only half the story. In many instances equipment vendors provide customized versions of operating systems and customers will have to wait for them to provide patches. It is however 100 percent certain that a lot of equipment out there is end of support and vendors will not provide updated software.

It is however worth at this stage pointing out a few additional things. The vast majority of infrastructure devices require authentication before scripts or commands can be run through either their embedded web servers or direct SSH access. This means that to successfully exploit this vulnerability the attacker must have valid credentials on the devices. In many situations devices will only have a single userid / password for administration – so the attacker must have these account details. If they have these, then they have full control of the device regardless of this issue so Shellshock is not massively relevant.

Further, most devices are (or should be) behind a firewall. This means that direct access from the Internet to them is not possible. Again, this to some level mitigates the seriousness of the situation for some people.

Where Shellshock is a massive issue is for public facing web sites. Any web site running on a Linux platform with a vulnerable version of BASH needs to be patched immediately. Exploits of the Shellshock issue are already being observed on the public Internet. Whilst in many cases these are just scans to see if systems are vulnerable, and not being active malicious, it is only a matter of time before this changes. Any other systems (e.g. web cameras, mail servers) that are directly accessible from the Internet should be analysed to see if they are vulnerable, and if so patched.

Shellshock is extremely serious, and it will impact all of us. We all need to look at the systems we are running to see if they are vulnerable and mitigate this issue if they are. The only real solution is by fixing the faulty software however as we have discussed, there are some other mitigation considerations that should be looked at. However, ignoring it is not an option.

Barry Hesk