10.06.14
by

Shellshock bug – BASH


Introduction:

Shellshock-bugRight now, security professionals are jostling to fix security flaw that has come to known as Shellshock. It is also known as Bashdoor and is a security bug in the widely used Unix Bash shell which was disclosed on 24 September 2014. Bash, short for Bourne-Again Shell, is the default shell in Ubuntu and it is a free piece of software that is now built into more than 70 percent of the machines that connect to the Internet, which consists of routers, servers, computers, some mobile phones and even everyday items like refrigerators and cameras.

Why do we need it and what is Bash?

Bash is an interpreter that allows you to orchestrate commands on UNIX and Linux systems, typically by connecting over Telnet or SSH. Bash is also able to function as a parser for CGI scripts on any web server. It’s been around since the late 80s where it evolved from earlier shell implementations and is extremely accepted. There are additional shells out there for UNIX variants; the thing about Bash though is that it is the default shell for Mac OS X and Linux which are apparently well established operating systems.

What is the bug that is discovered?

Most considerably, there is no validation required when exploiting Bash via CGI scripts.

The risk centers around the ability to arbitrarily define environment variables within a Bash shell which state a function description. The problem commences when Bash continues to process shell commands after the function definition resulting in what we would classify as a “code injection attack”.

Who is vulnerable?

Macintosh, as well as a many other web servers running operating systems such as Linux.
Computers will be actually vulnerable if they invoke Bash in an unsafe way. This is true of numerous web servers and it is held, that different types of network services could also be vulnerable. But it will take a while for security experts to audit various pieces of software to check for vulnerabilities.

Many IOT (Internet of Things) devices run embedded Linux sharing with Bash. All these devices have already been shown to demonstrate serious security vulnerabilities. Bash shells are also present in many more general devices, for e.g. our home routers.

What should be done for Protection?

First and foremost thing as an end user is to keep an eye for your platform’s software latest update that they are rolling out, and to install it as soon as possible when it is available. The bigger worry is the devices with no easy patching path, for example router.

In short, the advice to consumers is this: always be alert for latest security updates, predominantly on OS X. Also be on alert for any information you may get from your ISP or other providers of devices you have that run embedded software. Be very cautious of emails instructing you to run software or requesting information. Avoid logging into untrusted wifi networks as malicious wifi router could use the bug to hack into users’ laptops and mobile devices.

Most of the heavy lifting needs to be done by security professionals, not the end user as for the majority component; servers are more vulnerable than users’ own computers.

How can attackers take advantage of this vulnerability?

Bug can be used to hack into helpless servers. Once inside the server, attackers could steal user data, deface websites and engage in other forms of harmful activity.

There is a fair chance that hackers will make use of the weakness to generate a worm that automatically swell from vulnerable machine to vulnerable machine. The consequence it will lead to will be a botnet, a network of countless numbers of machines which are compromised, that function under the control of a single hacker. These botnets — which are often produced in the wake of major vulnerabilities — can be used to steal confidential data or to propel spam, contributing in denial-of-service assault on websites.

As this is being written security professionals are racing to update their server software before the hackers have time to attack it.

How much time will it take to fix the problem and how difficult it is?

From a technical perception, the fix is not that difficult. A part of fix has already been made available, and a complete fix will be out as soon as possible.

The most complicated part is as Bash is embedded in a huge number of different devices, it will take extensive time to locate and fix them all. For example, many personal wifi routers run web servers to enable users to configure them using a web browser. A number of of these devices may be vulnerable to a Bash-related attack. And regrettably, these devices do not have a straightforward or automatic mechanism for upgrading their software.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.