United States

Shellshock (BASH Vulnerability) may allow compromise of your data

Understand the vulnerability and how to verify whether you’re affected

ARTICLE  | 

A critical vulnerability has emerged in the Bourne again shell (simply known as Bash). Bash is the command interface for desktops, servers, network appliances and control systems that use some version of the Unix, Linux and MacOSX operating systems. The threat, dubbed Shellshock, can expose your systems and files to hackers and must be addressed in a timely manner.

The vulnerability allows an attacker to potentially take over the operating system, access confidential information and make changes to the file system. This bug was introduced through a programming error by developers over 25 years ago, but the vulnerability was recently discovered and made public. This issue is rated very high for severity but very low for complexity, which means that the exploit is very easy for an attacker to utilize, sometimes even remotely, and the impact can be significant.

Devices most at risk are ones that run programs that allow remote interaction with the command shell, even when the interaction is not easily identifiable. An example would be Web pages that interact with Bash by calling it within their source code. However, any device with a Unix-like operating system is at risk. The vulnerability likely exists in almost any networked system, including many embedded and appliance-type systems that run Linux versions. So the risk of an exploitation of this vulnerability is critical.

New developments

It’s been several days and by now you have likely read a lot about Shellshock. There certainly has been enough to read, from the initial write-ups predicting Armageddon to those stating claims are overblown and the impact may actually be negligible. The truth, as we always eventually find out, is somewhere in-between.

The past week has seen some surprising and widespread avenues for attacks beyond Web servers using older common gateway interface (CGI) programs and scripts. CGI was probably the first place many security-focused people’s minds went, as it is a standard way to generate dynamic content for a website and probably the oldest way to do so. However, there are many more modern frameworks for dynamic Web content, so CGI is not as heavily relied upon anymore. This was the initial basis for some to downplay the impact of this vulnerability. But as mentioned, some surprising vulnerabilities have been demonstrated, including:

  • Dynamic Host Control Protocol (DHCP) – Certain DHCP clients utilize basic system calls and Shellshock can be used in conjunction with DHCP to remotely attack some devices.
  • OpenVPN – OpenVPN has been hit hard lately, with SSL implementations vulnerability to Heartbleed, and now, OpenVPN can be vulnerable to Shellshock in certain configurations.
  • Email – Certain email systems use system calls for POP3, IMAP and SMTP that result in vulnerabilities. 
  • OpenSSH – Under OpenSSH, certain user configurations can be exposed.
  • Other protocols – This list isn’t comprehensive; several other servers and protocols are susceptible to Shellshock.

Bash is a very popular shell and has become very entrenched in Unix and Unix-like operating systems over the years. Therefore, keeping up with the latest developments related to this vulnerability has, for many, been quite a bit like drinking from the fire hose. Couple this information with news like patched systems still being vulnerable and other doom and gloom scenarios and the situation can seem very daunting. However, the message is simple—please update your systems as soon as possible. If you have any version of Bash lower than 4.3, assume it’s vulnerable and update it immediately.

Recommendations

It is best to assume your Linux, Unix and MacOSX systems and many networking devices are vulnerable since this issue was just recently discovered. Patches recently applied might not include fixes for this issue, meaning they are still vulnerable.

Your primary task should be to quickly test all externally facing systems to determine if they are vulnerable, and then upgrade or replace the systems as soon as possible. Examples of vulnerable systems include websites and applications, VPN concentrators, firewalls, routers and switches, and many others. Be prepared to perform several rounds of patching if necessary as many vendors will issue partial fixes in waves rather than wait to construct one “catch all” solution.

What to do next

Many security experts early on, in various articles and blog posts, stated that remote exploitation of this issue may be very limited due to the fact that few modern Web servers still directly provide access to scripts and programs that utilize the Bash shell. Since then, multiple proofs of concept exploits published show that this vulnerability can be exploited through the Dynamic Host Configuration Protocol (DHCP) and other methods. This means that any Linux, Unix or MacOSX systems that are dynamically configured at places such as public hotspots and even on corporate networks may be at risk. Additionally, reports have surfaced of attackers using this vulnerability to propagate malware across systems.

Some quick steps to protect your systems include:

  • Be sure to update any virus signatures from your AV vendor and IDS/IPS and WAF signatures provided by your vendor, possibly multiple times over the next few days
  • Install vendor-supplied patches on all Linux and Mac desktop and laptop devices
  • Check your systems for the presence of malware, to determine if you have been impacted by malware that has been found on other systems using this exploit. Also, check the hashes of key system files; hashes for malware being used in the wild can be found on VirusTotal.

 To test for this vulnerability, log into your system and at the command prompt type the following:

 $ /bin/bash

To make sure you are using the bash shell, then type:

 $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If your system is vulnerable, you will see the following output:

vulnerable
this is a test

A patched nonvulnerable system will show:

bash: warning: var: ignoring function definition attempt
bash: error importing function definition for 'var'

Several good resources exist for testing some systems remotely for Shellshock Bash vulnerability, including:

However, as we’ve seen, calls to Bash can be used in some tricky ways that you may not expect; it may not be possible to remotely test all of your systems reliably. The sky may not be falling, but honestly this is serious enough where it warrants immediate attention. If you need help figuring out which of your systems are vulnerable, please reach out. This isn’t something that can wait for a patch cycle next month or next quarter.

If you need assistance in testing your system’s risk potential, please contact us at asvsupport@rsmus.com or reach out to your RSM contact.

 

How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.


Rapid Assessment®

Complete our Rapid Assessment form to be contacted about receiving our "quick-hit" diagnostic of your critical areas of operations.

LEARN MORE



Events/Webcasts

LIVE WEBCAST

AML and regulatory compliance webcast series—Fall 2016

  • December 15, 2016

LIVE WEBCAST

PCI DSS 3.2—What’s next?

  • December 08, 2016

IN-PERSON EVENT

RSM Raleigh Technology Conference

  • October 26, 2016

IN-PERSON EVENT

Emerging risks seminar: 2016 cybersecurity executive forum

  • October 11, 2016

IN-PERSON EVENT

RSM’s 40th Annual National Credit Union Conference

  • October 06, 2016