Right now, security professionals are jostling to fix a security flaw that has come to be known as Shellshock. It is also known as Bashdoor and is a security bug in the widely used Unix Bash shell, disclosed on 24 September 2014. Bash, short for Bourne-Again Shell, is the default shell in Ubuntu, and it is a free piece of software that is now built into more than 70 per cent of the machines that connect to the Internet, which consists of routers, servers, computers, some mobile phones and even everyday items like refrigerators and cameras.

Introduction:

Why do we need it, and what is Bash?

Bash is an interpreter that allows you to orchestrate commands on UNIX and Linux systems, typically by connecting over Telnet or SSH. Bash can also be a parser for CGI scripts on any web server. It’s been around since the late 80s when it evolved from earlier shell implementations and is highly accepted. There are additional shells out there for UNIX variants; the thing about Bash is that it is the default shell for Mac OS X and Linux, which are well-established operating systems.

What is the bug that is discovered?

Most considerably, no validation is required when exploiting Bash via CGI scripts.

The risk centres around the ability to arbitrarily define environment variables within a Bash shell, which states a function description. The problem commences when Bash continues to process shell commands after the function definition, resulting in what we would classify as a “code injection attack”.

Who is vulnerable?

Macintosh and many other web servers run operating systems such as Linux.
Computers will be vulnerable if they invoke Bash in an unsafe way. This is true of numerous web servers, and it is held that different network services could also be susceptible. However, it will take a while for security experts to audit various pieces of software to check for vulnerabilities.

Many IOT (Internet of Things) devices run embedded Linux sharing with Bash. All these devices have already been shown to demonstrate serious security vulnerabilities. Bash shells are also present in many general devices, e.g., our home routers.

What should be done for Protection?

The first and foremost thing as an end user is to keep an eye on your platform’s software’s latest update that they are rolling out and to install it as soon as possible when it is available. The bigger worry is the devices with no easy patching path, for example, routers.

In short, the advice to consumers is this: always be alert for the latest security updates, predominantly on OS X. Also, be on alert for any information you may get from your ISP or other providers of devices you have that run embedded software. Be very cautious of emails instructing you to run software or requesting information. Avoid logging into untrusted wifi networks, as malicious wifi routers could use the bug to hack into users’ laptops and mobile devices.

Most of the heavy lifting needs to be done by security professionals, not the end user, as for most components, servers are more vulnerable than users’ computers.

How can attackers take advantage of this vulnerability?

The bug can be used to hack into helpless servers. Once inside the server, attackers could steal user data, deface websites and engage in other harmful activity.

There is a fair chance that hackers will use the weakness to generate a worm that automatically swells from vulnerable machine to vulnerable machine. The consequence it will lead to will be a botnet, a network of countless compromised machines that function under the control of a single hacker. These botnets — often produced in the wake of significant vulnerabilities — can be used to steal confidential data or propel spam, contributing to website denial-of-service assaults.

As this is being written, security professionals are racing to update their server software before the hackers have time to attack it.

How much time will it take to fix the problem, and how difficult is it?

From a technical perception, the fix is not that difficult. A part of the fix has already been made available, and a complete fix will be out as soon as possible.

The most complicated part is that as Bash is embedded in many different devices, it will take extensive time to locate and fix them. For example, many personal wifi routers run web servers to enable users to configure them using a web browser. Several of these devices may be vulnerable to a Bash-related attack. Regrettably, these devices do not have a straightforward or automatic mechanism for upgrading their software.