How to beat the Shellshock Bug – with a stick

h

The Shellshock vulnerability potentially affects all UNIX and POSIX-compliant (and nearly-POSIX-compliant) operating systems, including OS X, Linux, Cygwin for Windows and Microsoft POSIX subsystem. So…

Saturday, Oct 18

Shock Headlines!

‘Bigger than Heartbleed’ Shellshock flaw leaves OS X, Linux,…

Ghost in the (Bourne Again) Shell: Fallout of Shellshock far from over,…

Shellshock: ‘Deadly serious’ new vulnerability found,…

Oh No, not again!

The Shellshock vulnerability potentially affects all UNIX and POSIX-compliant (and nearly-POSIX-compliant) operating systems, including OS X, Linux, Cygwin for Windows and Microsoft POSIX subsystem. So that’s pretty much the entire internet and all connected devices.

The Shellshock ‘Bug’ is an exploit of an original design feature that was built into the bash shell by developer, Brian Fox in 1989 as a way to export functions. Because bash is favored by most UNIX and Linux developers, it is the de facto standard shell in almost all distributions.

SH, BASH, SSH

Before GUIs, before the Secure Shell (SSH), before BASH there was SH. In UNIX and Linux, the shell is a command-line interpreter that reads instructions from the standard input or a file and allows developers and system administrators to ‘talk’ to the operating system. Common uses for the shell are to run code compilers, manage system admin tasks and build complex scripts that perform automated tasks like installing software or software patches.

The Bourne shell or simply ‘sh’ was developed by Steven Bourne at Bell Labs and was released in 1977 and made popular with the publication of The UNIX Programming Environment by Brian W. Kernighan and Rob Pike—the first commercially published book that presented the shell as a programming language in a tutorial form.

Later shells like the korn shell and the ‘C’ shell add a lot of functionality but it was the introduction os ‘bash’ – the Bourne again shell – that really caught the imagination of script writers and system administrators.

Tatu Ylönen, the inventor of Secure Shell (SSH) and the chief innovation officer of SSH Communications Security, said in a statement that Shellshock may have been used to give attackers long-lasting remote access to targeted systems running SSH.

“Shellshock can be used to inject a Secure Shell key, which can then remain unnoticed for years if there is no management of these keys. This emphasizes the importance of properly scanning and managing SSH keys. “

Shellshock at home

For most home computer users with a broadband connection, there isn’t too much to worry about. Most Windows PCs are not affected and MAC OS X has a patch available. As long as your PC is tucked away behind a fire wall (you are running a firewall, right?), there’s no way for hackers to get to your equipment.

Of course, this type of vulnerability has the hackers crawling out of the woodwork, so be on the lookout for phishing attacks and suspicious phone calls from non-existent Windows call centers.

Shellshock in the wild

The Shellshock vulnerability is more affective against devices like web servers that are listening for remote requests. Most of the big-name distros have released patched bash shells that more or less beat the bug, including Red Hat, Ubuntu, Debian, Fedora, CentOS and more. While this critical update mostly fixes the Shellshock vulnerability, it is still considered incomplete, as Red Hat explains:

“Red Hat is aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions… We are working on patches in conjunction with the upstream developers as a critical priority… Red Hat advises customers to upgrade to the version of Bash which contains the fix for CVE-2014-6271 and not wait for the [additional] patch.”

Don’t Panic

If your a home user and you have Linux running, get the latest patches for your distro and make sure your router/broadband modem has the latest firmware installed.

Tech companies should consult their security and compliance offices and follow an aggressive course of action to systematically plug vulnerable operating systems and devices.

 

 

 

 

 

Pin It on Pinterest

Share This