Like an unexploded artillery shell laying dormant for decades, a highly dangerous vulnerability affecting widespread operating system code developed in the 1980’s has placed website operators and security professionals around the world on high alert this week.
Aptly named “shellshock,” it represents “one of the most significant security issues we've seen in a long time," Websence CEO John McCormack said in a video interview this week with the Financial Times. "It's essentially allowing remote cybercriminals to establish control of Web servers, ecommerce sites, and critical infrastructure, without any involvement from the users and administrators of those systems. It's a very serious situation."
This latest high-risk vulnerability has the potential to inflict more widespread and severe damage than the OpenSSL Heartbleed zero-day vulnerability discovered last April, according to Carl Leonard, a researcher with Websense Security Labs. In fact, Shellshock rates a “10” on the Department of Homeland Security’s Cybersecurity Division (US-CERT) 10-point scale for both impact and exploitability.
SLEEPING GIANT AWAKENED
Security researchers have uncovered proof of concept (POC) code that specifically attempts to exploit the vulnerability. An estimated half-billion machines could be at risk. The tendency for malware authors to share POC code freely sets the stage for the threat to spread very quickly, Leonard said. The aftereffects of a successful exploit have not yet been fully documented, but Websense is monitoring the fallout and expect to observe machines being repurposed with malicious intent. Among the major potential targets of Shellshock attacks are the following:
- Unpatched public-facing web servers.
- Unpatched computers, web servers, mobile devices or laptops running Apple’s Mac OSX.
- A wide range of routers and other Internet-connected devices running unpatched versions of Linux or Unix.
Google, Apple and others have reportedly already taken steps to address – or at least downplay – the potential impact on devices and servers, as well as commercial cloud services. And on Thursday, Amazon issued an alert to their Web Services customers on steps to take to mitigate the threat. Security staffs should check with their server software, online services and OS vendors frequently for the posting of additional patches to the CVE-2014-6271 and subsequent CVE-2014-7169 vulnerabilities.
Until more details on Shellshock and its affects are made public, Websense Security Labs recommends taking the following steps:
- Obtain patches immediately from reliable, official sources. You can obtain the latest patch from the official GNU Bash website.
- Stay apprised of patch updates since the first patches have been observed to not fully fix the underlying issue.
- If patches are not currently available, contact your security provider for guidance on mitigation strategies.
- Be aware that all versions of Bash up to 4.3 are vulnerable unless patched.
- Avoid remote access to Bash on affected systems.
- Complete forensic investigations on all vulnerable servers to review code and pinpoint any unusual or suspicious processes that may be running.
- Any organization that is not comfortable performing the activities listed above is advised to contact a reputable third party security provider.
Check the Websense Security Labs blog frequently for updates as more information becomes available.