Contact Us

|

Careers

|

Change Locale
close

Why the Shellshock Vulnerability Is A Perfect 10

From the experts | Posted on September 29, 2014 by Matthew Thiffault

Another big buzz in the media again. Looks like there has been another dangerous vulnerability identified and rated a 10 for impact, and a 10 for exploitability. This is the threat we now know as the Shellshock Vulnerability.

The major concern is that, if an attacker has the skill to craft a packet to take advantage of the vulnerability, they can inject code that compromises a target machine.

That seems simple enough – and from a conceptual perspective, it is. So why it is rated so high? And how does it compare to the Heartbleed bug we recently heard so much about?

The Shellshock Vulnerability is a Bash Bug

The Shellshock vulnerability exploits the Bash shell (or the Bourne again shell), one of the most installed utilities on Linux and Mac OS systems. It runs nicely in the background to provide remote access, run scripts and other system-level routines. When a typical bash function runs, and the “hacker” has injected code right after that function, that code also executes – many times with the all-powerful admin/root privileges.

The other frightening part is that since usually Bash already has these admin/super-user privileges built in, the hacker doesn’t require any credentials, and can operate remotely.

Similar to the heartbleed vulnerability this is a serious risk because a lot of the internet infrastructure is built on linux.  So to me that says 10! 10! 10!

To check a list of vulnerable versions and details about the vulnerability, please check the National Vulnerability Database, or this solid post from RedHat.

Things to check and patch

The simple test is this. Run the following code in your Linux shell:

env X=”() { :;} ; echo ShellshockedVuln” /bin/sh -c “echo completed” env X=”() { :;} ; echo ShellshockedVuln” `which bash` -c “echo completed”

if you see the ShellshockedVuln when you run this, you are at risk and should patch.

Also make sure you have updated any IPS signatures so that you can quickly respond to any urgent security incidents – Check the Fortinet blog post for more info on IPS and the Shellshock vulnerability.

Ensure you have appropriate IPS signatures deployed to monitor and mitigate any potential attacks on your infrastructure. Fortinet issued an update to our customers with IPS signatures to detect and prevent Shellshock attacks. This signature is available for download via FDN. In situations such as this, our threat research teams are able to respond to urgent or immediate security incidents promptly to protect our customers (and our customers’ customers) from exploitation.

For your convenience, I just received an update from Rapid 7 alerting us and their customers with this information about their content update:

New coverage is available for CVE-2014-6271 (Shellshock), a vulnerability in bash that allows remote execution of arbitrary code. Authenticated package-based vulnerability checks have been added for the following platforms: Amazon Linux Canonical Ubuntu CentOS Linux Debian Linux FreeBSD Oracle Linux Red Hat Linux An unauthenticated check for vulnerable CGI pages has been added.

The last step to note is that most of the major Unix or Linux distributions have released patches already so check your support for updates as well.

Our security team is standing by to help you with penetration testing (which ferrets out a wide variety of gaps threats and vulnerabilities – not just ShellShock). If you’d like help, please contact me directly, or leave a comment below!

Related Posts

Are you protected from password security breaches? There have been a lot of headlines in the news recently about password security breaches. From “Russian Hackers Amass Over a Billion Internet Passwords” to “Stolen Password...
Reference Architecture: The Most Secure Route To The Cloud? Confusion and questions about reference architecture abound! This is partly to do with being wrapped up with the cloud and partly because it’s not as simple as 2 + 2 = 4. Fo...
Services Spotlight: Resource Industry Podcast Every industry is feeling the pressures of high performance expectations and the need for improved results, but, probably no industry is feeling it more than the resources s...

Categories

Related Articles

“A people without knowledge of their past history, origin and culture is like a tree without roots.” – Marcus Garvey

Culture | April 9, 2019 by Kelly Breedon

Softchoice is very proud to have been named to the Great Place to Work Institute’s first ever list of Best Workplaces for Giving Back. This list recognizes organizations with a strong employee commitment to giving back, and a robust range of programs that support positive change in their communities. Taking care and giving back are […]

When we talk about Digital Transformation, three key topics always come to the fore: optimizing IT investments, enabling end users, and IT agility. On a granular level, these three factors form an axis of issues companies must deal with when making the digital leap. At our recent roundtable dinner in Boston, we sat down with […]