Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Updated The UK's privacy watchdog is urging organisations to protect their systems against the infamous Shellshock vulnerability in Bash – even though the full scope of the security bug remains unclear.
The Shellshock flaw affects Bash up to and including version 4.3. It's a vital component of many Linux and Unix systems, as well as networking kit and embedded devices. It's also present in the latest versions of Apple's OS X for Macs.
The flaw allows hackers to execute arbitrary code smuggled into environment variables. Anything that invokes the flawed open-source shell and passes in the booby-trapped variables – which is surprisingly easy to do – is vulnerable to being hijacked.
Patches for the main bug – designated CVE-2014-6271 – are available for most Linux distributions. However, there are reports that the patch is NOT a complete fix and so a further vulnerability, CVE-2014-7169, is being tracked. Fixes against this second vulnerability have not yet been widely distributed*.
An advisory by the UK the UK National Computer Emergency Response Team’s (CRT-UK) provides a snapshot of the current state of play.
The main flaw is already being exploited in the wild against web servers, which are the most obvious targets but not, by any means, the only machines at risk. Proof-of-concept code has been published which demonstrates that some DHCP clients are vulnerable, if not under attack as yet.
The OpenSSH server is also a vector for attack if you use restricted shells, the SANS Institute's Internet Storm Centre warns. The majority of OS X users are not in immediate danger despite bundling a vulnerable version of Bash – Apple's DHCP client is not affected, for example – although a patch from Cupertino is planned.
Meanwhile, security researchers are also discussing the possibility that hackers may be able to acquire mail spools from vulnerable systems using mails that exploit Shellshock.
cgi-bin scripts, and their child processes, using Bash on web servers are the primary focus of attackers, at least for now. "The cgi-bin exploit is used very aggressively and we already have seen multiple attacks against our own web servers," the ISC's Johannes Ullrich reports.
Comparisons are being drawn between Shellshock and the earlier Heartbleed vulnerability in Open SSL libraries. Heartbleed could be abused to siphon off users' passwords and other sensitive information from vulnerable systems, but did not create a means to hijack affected systems.
Shellshock, in contrast, does allow hijacking through remote code execution. Once hackers have taken over a system, through whatever means, they can not only lift any sensitive information it contains; they can do much, much more.
Heartbleed has been linked to data breaches at Community Health Systems, a US hospital group that manages more than 200 hospitals, Canada's tax agency, UK parenting website Mumsnet and the developers of Call of Duty: Black Ops II. As many as 4.5 million patient records were exposed in an attack against Community Health Systems – which, in truth, is the only one of the quartet worth worrying about.
No breaches so far have been linked to Shellshock. It might stay that way or multiple victims may emerge over time. Predicting how the chips will fall would be pure guesswork at this point.
The Information Commissioner’s Office advises users to apply any available updates to defend against Shellshock as soon as practically possible. Lack of clarity is no excuse for lack of action – especially when sensitive data might be exposed as a result of the flaw, the data watchdog says.
An ICO spokesperson said: “This flaw could be allowing criminals to access personal data held on computers or other devices. For businesses, that should be ringing real alarm bells, because they have legal obligations to keep personal information secure.
"The worst thing would be to think this issue sounds too complicated – businesses need to be aware of this flaw and need to be monitoring what they can do to address it. Ignoring the problem could leave them open to a serious data breach and ultimately, enforcement action." ®
Updated to add
* A patch for the second half of the Shellshock bug (CVE-2014-7169) is now available from the GNU project for Bash version 4.3 and earlier. It appeared online on Friday afternoon, Pacific Time. Linux distros and other operating system vendors are expected to incorporate the update into their Bash packages for users to install shortly.