Just after we have worked our way through the Heartbleed vulnerability a new software vulnerability has been found that might affect any versions of the Linux and Unix operating systems, in addition to Apple Mac OS X within your business. The vulnerability is referred to as the “Bash Bug” or “ShellShock,” which might allow a remote attacker to gain control over a targeted Unix/Linux computer.
The vulnerability affects a software language called Bash, which is the common part of the Unix Operating System shell that appears in almost all versions of Linux and Unix. Bash is a command shell interpreter, or in other words, it allows the user to type text based commands into a window, and then Unix will run the command.
Bash can also be used to run commands passed to it through another application and it is this Application-to-Bash feature that the vulnerability affects. Environmental values can be sent to Bash using this Application-to-Bash feature. The problem here is that setting environmental values on servers is a powerful way for an attacker to deploy malicious code into the target Unix server and essentially remotely take over and hijack the server.
The governments NIHT regards this vulnerability as critical, since Bash is widely deployed in Linux and Unix operating systems running on Internet-connected servers, such as Apache Web servers. With a successful Bash exploitation, the Attacker can enable remote code execution. This could not only allow an attacker to steal data from the compromised Unix server, but enable the attacker to gain control over the server and potentially provide the hacker with an infected server to launch attacks onto the devices sharing the same LAN as the infected Unix Server.
Has it been exploited yet?
There are limited reports of the vulnerability being used by attackers in the wild. The consequences of an attacker successfully exploiting this vulnerability on a Web server are serious in nature. Once inside the victim’s firewall, the attackers could then compromise and infect other computers on the network.
Computers running Mac OS X are also potentially vulnerable until you deploy Apple's patch for the vulnerability. Again, attackers would need to find a way to pass environmental commands to Bash on the targeted Mac. The most likely avenue of attack against OS X would probably be through the Secure Shell (SSH), a secure communications protocol. The Internet of Things (IoT) and embedded devices such as routers may be vulnerable if they’re running Bash.
How would this bug affect your business?
Most IT departments are unlikely to see any immediate impact relating to this bug. This stems from the fact that an overwhelming majority of these impacted servers are not connected to the Internet. In order for an attacker to exploit this bug, they would have to have external access to these affected systems, either through SSH, web or publicly-accessible service endpoints.
What is ANP doing about this?
At ANP we have ensured that our internal infrastructure (much like many of our customers) is not exposed in such a way that would cause concern. We are continuing to monitor our vendors’ updates & patch releases, and as we receive and digest this information, we will (as necessary) work to address these individual impacted systems with our customers individually.
Any Linux/UNIX-based device that publishes Internet-facing web pages and/or services may be vulnerable to the ShellShock bug. This assumes that these websites and/or services are calling direct system functions through commands issued on the web site Application (widely considered to be a no-no from a security perspective) -or- are vulnerable to a remote command execution vulnerability.
Therefore, a successful ShellShock exploitation of this bug requires three things:
- A Linux/UNIX-based device that…
- Must be Internet-accessible via public-facing website
- And the Unix server will execute remote commands
Here is a breakdown of popular IT manufacturers:
Apple has released a security advisory, for OSX so apply their patch through their standard update process. ANP believes that implementing the OSX patch is the best approach to lower your potential exposure to attack.
Cisco has released a security advisory that details the impacted products. ANP is continuing to monitor this security advisory as Cisco continues testing & validating fixes for each impacted item. You can expect updates from ANP as we identify impacted products and customers. As is the case above with Apple products, unless your device is publishing web pages or services to the Internet (i.e. is publicly-accessible), the risk factor of an Attack is limited. These devices will however, show up on a security audit if the audit scans the internal network and (as such) should be patched prior to the audit.
All of ANP’s Linux/Unix servers have been patched to protect against this bug. If you have an internal Web Development team that manages your own company-owned Linux/Unix servers, we would highly recommend following your Operating Systems vendors advice on patching.
Free ShellShock Assessment from ANP
ANP would be happy to perform a free ShellShock assessment scan of your IT environment to look for the ShellShock vulnerability in your Unix/Linux servers and IT equipment. We will look at your IT systems and let you know if you have anything at risk. Call our office and ask for the free ShellShock assessment at (800) 572-3282. Or click on the Free Assessment button below.