Much like the Heartbleed OpenSSL flaw before it, the newly uncovered 'Shellshock' vulnerability found in the Bourne-again shell (Bash) has forced numerous companies to quickly issue alerts and patches amid a growing number of active Shellshock exploits. However, unlike Heartbleed, experts say the Bash vulnerability is dangerous precisely because no one knows how many systems may be affected.
The bug, CVE-2014-6271, is reportedly already being exploited by attackers in the wild. A security researcher on Twitter posted a link to a GitHub account hosting exploit code for the Bash flaw, and the Australia Computer Emergency Response Team (AusCERT) said it has received reports that attackers are actively exploiting the vulnerability.
The problem is a result of the Bash shell's willingness to handle specially crafted environment variables, according to a blog post by Raleigh, N.C.-based Red Hat Inc. security engineer Huzaifa Sidhpurwala. Essentially, Bash allows limited functions to be inserted into commands by placing code at the end of a function.
Attackers could easily take advantage of that flaw by adding code of their own to a function and gaining complete control of a victim's system – a fact that lead to the National Vulnerability Database to score the bug as a 10.0 according to the common vulnerability scoring system (CVSS).
More so than the severity of the bug itself, experts told SearchSecurity that what makes the Bash vulnerability so unique is just how widespread the problem could be compared even to Heartbleed, which affected millions of systems running vulnerable versions of OpenSSL around the Internet.
Bash flaw reaches far beyond Unix systems
Bash is a Unix-based shell that can be found as a default inclusion in the Linux operating system, as well as Apple's Mac OS X, but the problem isn't only limited to those operating systems. For example, a blog post from Errata Security CEO Robert Graham encouraged companies to scan for old versions of Apache, video cameras and various Internet of Things devices that may be running a vulnerable version of Bash, which includes virtually all versions of Bash, dating back more than two decades.
Troy Hunt, a noted security researcher and a software architect for a large pharmaceutical company, noted on his blog that even though Bash may not be found in the Windows operating system, there will still be non-Microsoft components in an enterprise setting that may be vulnerable to an attack against the Bash flaw.
"Shellshock has the potential to impact assets beyond just at-risk Bash implementations when it exists in a broader ecosystem of other machines," said Hunt.
Not all affected systems are equally vulnerable
Wolfgang Kandek, chief technology officer for Redwood City, Calif.-based vulnerability management vendor Qualys Inc., said that considering how old Bash is as a technology and the number of years it has been vulnerable, it would not be surprising to learn that up to twice as many machines may be vulnerable to this bug when compared to Heartbleed.
Still, the widespread nature of the Bash bug does not mean that all affected systems can be successfully exploited. For instance, the flaw is only of interest to attackers when being exploited remotely, according to Kandek, because there are no benefits if they have already infiltrated a machine.
Kandek said the most obvious exploit option for an attacker would be to target a Web server that allows CGI code execution, an outdated functionality that most sites do not allow. And even if successfully exploited, an attacker would still need a second exploit to gain root access to a machine, meaning they would likely need a zero-day exploit to successfully infiltrate a fully patched system.
For a system susceptible to known exploits though, Kandek warned that an attacker could basically gain control of a system, up to and including running his or her own programs, perusing the system's memory for sensitive information and more.
"It is actually more severe than Heartbleed in that sense," said Kandek, who confirmed that the Bash flaw does indeed have "wormable" characteristics -- meaning vulnerable machines may be susceptible to self-propagating executables that spread from one to another unassisted, like Code Red and Nimda once did -- though an automated scanner may not be able to easily locate vulnerable systems and programs.
Kasper Lindgaard, director of research and security for Danish vendor Secunia, agreed that as of now, the CGI module in a Web server is the most likely attack vector for a malicious actor attempting to target the Bash flaw. In describing how easily a malicious payload could be delivered to a vulnerable system, Lindgaard pointed to research by Errata Security's Graham, which involved scanning the Internet and delivering "ping home" commands to CGI variables.
Graham found about 3,000 vulnerable systems just on port 80, but noted that his scans didn't look at "where the bug lives." The results showed that not only is the vulnerability widespread, Lindgaard said, but also that there will be many areas left exposed by the bug that security professionals may not realize exist – a worrying prospect when a successful attacker could gain a "complete system compromise."
"There are a bunch of different attack vectors, and only a handful are known so far," said Lindgaard. "It might not affect as many users as Heartbleed, but it is more severe."
Enterprise remediation: What options exist?
The huge amount of publicity generated by the Bash shell vulnerability has resulted in many of the affected vendors, including Linux variants CentOS, Debian, Ubuntu and Red Hat, to release patches. But the issue isn't easy to fix, as evidenced by Red Hat's warning that its original patch was "incomplete" and another fix will be issued.
Lindgaard said that Red Hat and other companies were likely caught off guard by the problem, and as such, it's unsurprising that they may not have accounted for all attack vectors. Companies could wait until patches are released for all affected systems, but considering the severity of the bug, Lindgaard advised them to perform complete risk assessments to determine where exactly the vulnerability exists.
With a picture of the IT environment in hand, both Lindgaard and Kandek said that companies may simply be able to swap out Bash with another shell -- there are three alternatives built into Linux alone -- depending on the compatibility and functionality required.
"Changing a shell is not a painful thing to do if you are an experienced administrator," said Lindgaard.
Daniel Ingevaldson, chief technology officer for Sunrise, Fla.-based fraud prevention vendor Easy Solutions Inc., agreed that patching as soon as possible would be the ideal course of action for enterprises, but that businesses shouldn't wait to take action, especially in cases where a vendor may never issue a patch.
Instead, he advised enterprise IT teams to actively monitor logs, because an exploit for this bug, which would be delivered in the form of a URL or HTTP header, would be "noisily and easily logged." In comparison, a more complex memory-corruption attack, or even a Heartbleed exploit, may leave little or no evidence.
The easy detection of an exploit attempt, Ingevaldson said, "might be the only silver lining for this vulnerability."
Worried about the Bash vulnerability? Heartbleed patching efforts showed that many sites remained vulnerable months after a patch was available. According to threat expert Nick Lewis, the OpenSSL flaw taught the security community important lessons about incident response.