Bash Bug: Bigger Than HeartbleedHackers Target Widespread, Remotely Exploitable Flaw
Attackers are already targeting the Bash vulnerability, less than 24 hours after information about the flaw became public. To date, an unknown number of devices may contain the flaw, including millions of stand-alone Web servers, Unix and Mac OS X systems, and numerous other Internet-connected devices.
Warnings about the Bash flaw, which is also being called shellshock, first surfaced Sept. 24. Since then, security experts have been scrambling to understand the full extent of the vulnerability, and the risks it may pose, although many have already suggested it poses a greater threat than the OpenSSL flaw known as Heartbleed.
Bash, which stands for the GNU Bourne Again Shell, is a Unix shell, meaning it's "an interpreter that allows you to orchestrate commands on Unix and Linux systems, typically by connecting over SSH or Telnet," says software architect Troy Hunt in a blog post. "It can also operate as a parser for CGI scripts on a Web server such as we'd typically see running on Apache."
A shell, however, gives both administrators and would-be hackers deep-level access to operating system capabilities, by allowing them to run almost any command. "The potential is enormous - 'getting shell' on a box has always been a major win for an attacker because of the control it offers them over the target environment," Hunt says. By gaining shell, attackers could dump all data stored on a server, reconfigure the environment or unleash automated worms. "There are many, many examples of exploits out there already that could easily be fired off against a large volume of machines."
The National Institute of Standards and Technology initially assigned the vulnerability - which was discovered by Akamai security researcher Stephane Chazelas - the designation CVE-2014-6271, rating the remotely exploitable flaw as a "10" on its 10-point severity scale.
Multiple Linux distributions - including CentOS, Debian, Red Hat and Ubuntu - released patches for that vulnerability, but they were incomplete, and spawned a new vulnerability, Red Hat reports. "An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions," it says of the new flaw, noting that it's been designated CVE-2014-7169. "We are working on patches in conjunction with the upstream developers as a critical priority," Red Hat adds. In the interim, it recommends customers immediately install the available patch, since the vulnerability it creates is much less severe than the unchecked Bash bug.
Worse than Heartbleed?
One factor complicating a quick Bash fix is that it's installed by default on all Linux and Mac OS X systems, which are, of course, widespread. Netcraft, which counts the number and types of Web servers being used, reports that there are now more than 1 billion servers connected to the Internet, and that more than half of those are Apache servers, which run Linux and thus contain Bash by default.
But many other devices could also be affected. "It's quite common for embedded devices with Web-enabled front-ends to shuttle user input back and forth via Bash shells, for example - routers, SCADA/ICS devices, medical equipment, and all sorts of webified gadgets are likely to be exposed," says Tod Beardsley, engineering manager at Rapid7.
That's why many security experts believe the flaw poses a greater risk than Heartbleed, which affected versions of OpenSSL released over a two-year period. Bash, however, has been around since 1989, and all but the most recent versions are potentially exploitable, and may also be present in outdated, unsupported software that's still used in enterprise environments.
"It's easy to execute the attack - access complexity is low - and perhaps most significantly, there is no authentication required when exploiting Bash via CGI scripts," Hunt says. "Naturally this is not functionality that's intended to be open to the world."
"The Bash bug is as big a deal as Heartbleed" in terms of the number of affected systems and the length of time it would take to remediate them all, says Robert David Graham, who heads information security research firm Errata Security, and who's been using his masscan tool to scan the Internet for vulnerable systems.
"Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from Web-enabled Bash scripts," Graham says. "Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world."
Attackers Already Targeting Bash
There have already been reports of attacks related to Bash, with H.D. Moore, chief research officer at Rapid7 and the developer behind the free Metasploit penetration testing software suite, warning that there's "already an IRC bot in the wild using the Bash bug." IRC bots are collections of scripts that automatically log onto IRC channels and, at least in this case, attempt to push malware to other IRC users.
In this case, the malware appears to connect to a botnet, which gives attackers command-and-control capabilities over infected PCs. "Looking at string variables, it appears to be a kernel exploit with a CnC component," according to an analysis posted to GitHub.
The vulnerability is already being targeted by attackers who are scanning for vulnerable sites, then targeting them with malware designed to exploit the vulnerability, Graham says.
The open source vulnerability penetration testing framework Metasploit has been updated with a module, written by Chazelas, that's designed to target the vulnerability.
Test Now for Vulnerability
Computer emergency response teams are recommending organizations patch affected systems as quickly as possible. "US-CERT recommends users and administrators review the Red Hat security blog for additional details and to refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch," the organization says in its warning. "A GNU Bash patch is also available for experienced users and administrators to implement."
Red Hat says the patch for the flaw "ensures that no code is allowed after the end of a Bash function," and that it should be backwards compatible. But security experts recommend testing that supposition before altering production systems.
UK-CERT has published a Unix command that can be run to test if a system is vulnerable. It says that "Web servers should be considered high priorities for patching."
Also beware of external attackers attempting to exploit the flaw. "Keep an eye on network traffic, take this opportunity to tighten control on any non-essential services and turn them off," says Mark James, who's a security specialist at anti-virus firm ESET.
But Errata Security's Graham argues that immediate fixes may not be required, and warns that businesses may need patches for software that's no longer supported. "There's little need to rush and fix this bug. Your primary servers are probably not vulnerable to this bug. However, everything else probably is," Graham says. "Scan your network for things like Telnet, FTP, and old versions of Apache - masscan is extremely useful for this. Anything that responds is probably an old device needing a Bash patch. And, since most of them can't be patched, you are likely screwed."