Hackers thrash Bash Shellshock bug: World races to cover hole

Bigger than Heartbleed? Yes, it is

Secunia warns that Shell Shock is "bigger than Heartbleed" because it enables hackers to execute commands to take over servers and systems. Heartbleed, by contrast, leaked users' passwords and other sensitive information, and did not allow third parties to directly hijack affected systems.

"Compared to Heartbleed, the vulnerability in OpenSSL from earlier this year, Bash is worse: Heartbleed 'only' enabled hackers to extract information. Bash enables hackers to execute commands to take over your servers and systems," explained Kasper Lindegaard, head of vulnerability intelligence specialist Secunia’s research team.

The National Institute of Standards and Technology (NIST) rates the flaw as 10 out of 10 in terms of severity, particularly as it is relatively simple to exploit. It’s rated at the maximum CVSS score of 10 for impact and ease of exploitability.

Ben Johnson, chief security researcher for Bit9 + Carbon Black, added: "The tricky aspect of this vulnerability is that it isn’t as clear-cut as Heartbleed. With Heartbleed, security professionals primarily needed to see what version of OpenSSL they had and then patch it if necessary.

"With Bash, there may be DHCP servers, web servers, and other network-accessible services that use Bash for part of their functionality. Tracking down which ones are actually using Bash and which ones aren't might be beyond the ability of some system administrators and will certainly be a headache for all."

Joe Hancock, cyber security specialist with Lloyd’s of London insurance syndicate AEGIS London, commented: "The bug has existed for over 25 years in the Bash software, making it exceptionally pervasive. An exploit for the vulnerability was released within hours of the bug being announced, which directly enables the targeting of vulnerable web servers."

Simon Edwards, senior security consultant at Damballa, said web servers were most at risk, even though all manner of computing kit is potentially vulnerable. Even though smaller embedded devices tend to run BusyBox Linux, which doesn't use Bash, many bits of gear – various printers, switches and so on – are using Bash.

"The new bash vulnerabilities are certainly very serious, and have an impact on many different types of systems, from straightforward Unix servers, to routers and industrial control systems using Unix as a back end," Edwards explained.

"However the vulnerability only works by sending the bash process (the most popular of Unix shells) malicious instructions via another application. In the case of an SSH login, this means that the attacker would need to have successfully authenticated first, and then the malicious code can be injected into the Bash shell.

"So the real issue is more in the other applications, like CGI scripts on web servers, which could be manipulated to inject the code as part of their usual process. The point is that these attacks only work in combination with other attack vectors; and as with malware infections, multiple methods are required to compromise a system."