The Shellshock (or Bash) bug is the latest serious bug to hit the scene. So what do you need to know about this bug? Anitian has a quick summary.
| What is Shellshock? | It is a very serious bug to Bash, a ubiquitous command shell for Unix and Linux systems. When exploited, the attacker can execute almost anything host. That is very bad. |
| Is it bad? | Yes. This is worse than Heartbleed. |
| What is affected? |
|
| Macs vulnerable? That’s unpossible! | Time to put down the iKool-aid, Apple products are not immune from attacks. They get hacked all the time. |
| Are hackers actively exploiting this? | Yes. And the malware that exploits this is also hitting the Internet today. |
| What do I need to do to stop it? |
|
| I can’t patch! My management/vendor won’t let us patch. | Then block SSH and update your IPS signatures, now. Also you either need a patching process defined, or new vendors that allow patching. It is very dangerous to not be able to patch systems. |
| IPS signatures? | Nearly every decent IPS can detect and block Shellshock at this point. This is why a good IPS is such an important part of a security program. |
| IPSes are stupid and we need SSH access | Then you are going to get hacked (you probably already are.) |
| Where do I get patches? | Vendors are releasing patches…slowly but surely. Visit your vendor’s sites. |
| Can we blame Microsoft? | No, this bug does not affect Windows systems (unless they have a Bash shell installed, which would be strange since Windows has its own shell.) |
| Can we blame the NSA | No |
| Can we blame the open source community? | No |
| Can we blame the Chinese? | No |
| Who can we blame? | Nobody. |
| Why did this happen? | Bugs are a fact of life. It is an accident in coding, not part of some massive conspiracy. |
| Do I need to read long-winded whitepapers full of source code to understand Shellshock? | If you are into that kind of thing, sure. Don’t let us stand in your way. Or you can read Troy Hunt’s excellent write up which has just enough source code looking material to make you feel really technical.However, Robert Graham’s work at Errata Security, is excellent. He has a number of good posts on their blog. |
| How do I know if I am vulnerable? | Command shell to your Linux or Unix system(s) and run this simple command:
env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
If you get “busted” echoed back, you’re vulnerable. |
| Should I rush out and blow a massive wad of money on new security appliances? | No. But I am sure the vendor sales people will tell you otherwise. |
| I thought open source products were more secure? | They are not. Open source tools and systems have plenty of vulnerabilities. Again, it really comes down to how you install and manage a system that really defines its security. |
| Are we ever going to be safe? | Security is an eternal struggle. You can never give up. |
| Aren’t you terrified of this? | This is a bad bug, but there are defenses. Like most security issues, a cohesive, layers set of defenses can protect you from this bug. We are not terrified, but we are deeply concerned, especially for infrastructure components like storage and network appliances which are more difficult to patch, and handle a lot of sensitive data. |
| Why does it have the name Shellshock? | It is a bug to the system shell, hence “shellshock”. While Heartbleed had its own logo, Shellshock gets its own theme song, the 80’s tune Shellshock from New Order fits well: |
Thanks for the quick rundown on this threat Andrew.
Thanks a lot for the write-up Andrew.
We were hustling to contact customers to either apply patches or ask permission to block the shell_command_injection signature on their appliances, that I just didn’t have too much to actually dive deeper into the actual vulnerability. This cleared it up, and then some.