Shellshock Bash Bug And Microsoft Users Spared?

228

Categories:

SEPTEMBER 26 — Computer security experts are busy finding solutions to remedy the shellshock bug, a security flaw embedded in a commonly used programme called Bash. The Bash programme is installed on many computers and web servers running the Mac operating system or Linux, as both systems originate from an old operating system named UNIX. Users of computers and other devices operating on Microsoft systems are spared the fear of the latest security scare because Microsoft programmes do not use Bash, acronym for Bourne-Again Shell. Many computer programmes rely on Bash to invoke other computer programmes. For example, when surfing the Internet, the browser is communicating with a web server that in turn likely uses Bash in order to find and generate content from its local file structures.

Bash has also proved popular among programmers. The text-based programme offers different commands in order to find and change files on local or remote hard drives, and allows IT professionals to administer computers and servers from a distant locations. A computer is at risk if the codes are executed after a malicious string. Hackers can exploit the flaw in different ways, such as obtaining private documents and running spyware on other computers. Security professionals are worried that hackers will exploit shellshock and create worms that can easily penetrate firewalls. — Reuters

By now you may have heard about a new bug found in the Bash shell. And unless you’re a programmer or security expert, you’re probably wondering if you should really worry. The short answer is: Don’t panic, but you should definitely learn more about it, because you may be in contact with vulnerable devices. This bug, baptized “Shellshock” by Security Researchers, affects the Unix command shell “Bash,” which happens to be one of the most common applications in those systems. That includes any machine running Mac OS X or Linux. The “shell” or “command prompt” is a piece of software that allows a computer to interact with the outside (you) by interpreting text.

This vulnerability affects the shell known as Bash (Bourne Again SHell), which is installed not only on computers, but also on many devices (smart locks, cameras, storage and multimedia appliances, etc.) that use a subset of Linux. If you believe the hype today, Shellshock is in that league and with an equally awesome name albeit bereft of a cool logo (someone in the marketing department of these vulns needs to get on that). But in all seriousness, it does have the potential to be a biggie and as I did with Heartbleed, I wanted to put together something definitive both for me to get to grips with the situation and for others to dissect the hype from the true underlying risk. To set the scene, let me share some content from Robert Graham’s blog post who has been doing some excellent analysis on this. Imagine an HTTP request like this:

target = 0.0.0.0/0
port = 80
banners = true
http-user-agent = shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)
http-header = Cookie:() { :; }; ping -c 3 209.126.230.74
http-header = Host:() { :; }; ping -c 3 209.126.230.74
http-header = Referer:() { :; }; ping -c 3 209.126.230.74

Which, when issued against a range of vulnerable IP addresses, results in this:

shellshock-responses[2]

What is Bash and why do we need it?

Skip this if it’s old news, but context is important for those unfamiliar with Bash so let’s establish a baseline understanding. Bash is a *nix shell or in other words, an interpreter that allows you to orchestrate commands on Unix and Linux systems, typically by connecting over SSH or Telnet. It can also operate as a parser for CGI scripts on a web server such as we’d typically see running on Apache. It’s been around since the late 80s where it evolved from earlier shell implementations (the name is derived from the Bourne shell) and is enormously popular. There are other shells out there for Unix variants, the thing about Bash though is that it’s the default shell for Linux and Mac OS X which are obviously extremely prevalent operating systems. That’s a major factor in why this risk is so significant – the ubiquity of Bash – and it’s being described as “one of the most installed utilities on any Linux system”.

image[8]

When half the net is running Apache (which is typically found on Linux), that’s a significant size of a very, very large pie. That same Netcraft article is reporting that we’ve just passed the one billion websites mark too and whilst a heap of those are sharing the same hosts, that’s still a whole lot of Bash installations. Oh – that’s just web servers too, don’t forget there are a heap of other servers running Linux and we’ll come back to other devices with Bash a bit later too. Bash can be used for a whole range of typical administrative functions, everything from configuring websites through to controlling embedded software on a device like a webcam. Naturally this is not functionality that’s intended to be open to the world and in theory, we’re talking about authenticated users executing commands they’ve been authorised to run. In theory.

Apple says that most Mac users are safe from a newly discovered security flaw, one that could — in principle — allow hackers to take over an operating system. Known as the “Shellshock” or “Bash” bug, the latest vulnerability for the world’s computers involves the execution of malicious code within a bash shell, which is a command-line shell used in many Linux and Unix operating systems, and by Apple’s Mac OS X operating system. Apple however says that most people using its software have nothing to worry about. “The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” an emailed statement from Apple to CNET said.

macbook-pro-sachinkhosla

“Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems,” it continues. “With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.” The Bash glitch is reminiscent of the Heartbleed security flaw that left information stored on data servers potentially vulnerable to hackers. Heartbleed was first identified in April, and an estimated 300,000 servers were still exposed two months later . For now, it seems there’s nothing ordinary computer users can do to protect against the new security flaw, with the responsibility for patching the potential exploit resting with those that manage Web systems. “Anybody with systems using bash needs to deploy the patch immediately,” Tod Beardsley, an engineering manager at security firm Rapid7 told CNET yesterday.

HOW CAN THIS PROBLEM BE SOLVED?

It’s super simple to solve this problem. Many software developers have already issued patches and more are being released by the hour. Two of the most popular Linux distributions, Red Hat and Ubuntu, already have patches available, and we suspect Apple will soon release its fix. Updating a system takes almost no time. It’s a simple process and it’s a common task for most users. The problem is with systems that are not often updated. For example: It’s not very common to update the software on your router, and even less common to update something like a door lock, a light switch or a security camera.

The internet of things complicates the situation because there are many more devices that should be updated, and for some, the manufacturers may not even issue patches. However, most of the devices are configured to function in a secure manner, behind a firewall. Regardless, if you suspect your “things” use a version of Linux (and there’s a really good chance they do), we recommend you check for updates and even inquire about them from the manufacturer. The bottom line is: this is a serious bug, but patches are available and should be installed promptly. But, there’s no doubt we’ll be hearing plenty more about Shellshock and the problems it can cause in the coming days and weeks — especially since it’s gone unnoticed for around 25 years. There’s a lot of holes out there to patch.

Update: In a statement to iMore, an Apple representative said “the vast majority of OS X users are not at risk…With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services.” According to Apple, there is a patch coming soon for those users who could be exposed.

Leave Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.