Why the Shellshock Vulnerability Is A Perfect 10

Why the Shellshock Vulnerability Is A Perfect 10

Another big buzz in the media again. Looks like there has been another dangerous vulnerability identified and rated a 10 for impact, and a 10 for exploitability. This is the threat we now know as the Shellshock Vulnerability.

The major concern is that, if an attacker has the skill to craft a packet to take advantage of the vulnerability, they can inject code that compromises a target machine.

That seems simple enough – and from a conceptual perspective, it is. So why it is rated so high? And how does it compare to the Heartbleed bug we recently heard so much about?

The Shellshock Vulnerability is a Bash Bug

The Shellshock vulnerability exploits the Bash shell (or the Bourne again shell), one of the most installed utilities on Linux and Mac OS systems. It runs nicely in the background to provide remote access, run scripts and other system-level routines. When a typical bash function runs, and the “hacker” has injected code right after that function, that code also executes – many times with the all-powerful admin/root privileges.

The other frightening part is that since usually Bash already has these admin/super-user privileges built in, the hacker doesn’t require any credentials, and can operate remotely.

Similar to the heartbleed vulnerability this is a serious risk because a lot of the internet infrastructure is built on linux.  So to me that says 10! 10! 10!

To check a list of vulnerable versions and details about the vulnerability, please check the National Vulnerability Database, or this solid post from RedHat.

Things to check and patch

The simple test is this. Run the following code in your Linux shell:

env X=”() { :;} ; echo ShellshockedVuln” /bin/sh -c “echo completed”

env X=”() { :;} ; echo ShellshockedVuln” `which bash` -c “echo completed”

if you see the ShellshockedVuln when you run this, you are at risk and should patch.

Also make sure you have updated any IPS signatures so that you can quickly respond to any urgent security incidents – Check the Fortinet blog post for more info on IPS and the Shellshock vulnerability.

Ensure you have appropriate IPS signatures deployed to monitor and mitigate any potential attacks on your infrastructure. Fortinet issued an update to our customers with IPS signatures to detect and prevent Shellshock attacks. This signature is available for download via FDN. In situations such as this, our threat research teams are able to respond to urgent or immediate security incidents promptly to protect our customers (and our customers’ customers) from exploitation.

For your convenience, I just received an update from Rapid 7 alerting us and their customers with this information about their content update:

New coverage is available for CVE-2014-6271 (Shellshock), a vulnerability in bash that allows remote execution of arbitrary code.

Authenticated package-based vulnerability checks have been added for the following platforms:

  • Amazon Linux
  • Canonical Ubuntu
  • CentOS Linux
  • Debian Linux
  • FreeBSD
  • Oracle Linux
  • Red Hat Linux

An unauthenticated check for vulnerable CGI pages has been added.

The last step to note is that most of the major Unix or Linux distributions have released patches already so check your support for updates as well.

Our security team is standing by to help you with penetration testing (which ferrets out a wide variety of gaps threats and vulnerabilities – not just ShellShock). If you’d like help, please contact me directly, or leave a comment below!

Related Posts

Disruptive technology: Trends gaining traction Where would we be without computers, smartphones, music and video streaming? Likely, we’d still be using decade-old technologies like typewriters, landlines, CDs and DVDs. The...
Are you protected from password security breaches? There have been a lot of headlines in the news recently about password security breaches. From “Russian Hackers Amass Over a Billion Internet Passwords” to “Stolen Password...
CYOD: A New Way to Embrace Mobile Devices The proliferation of personal mobile devices is changing the way we do business — and companies are either embracing it, or sticking with the status quo. But there is anot...

About Matthew Thiffault

Matthew is a Security Solutions Architects at Softchoice. Matthew's areas of expertise include SIEM, IPS, DDOS, Attack Protection and Security Operations.