Last week, the world witnessed the discovery of the Bash “Shellshock” vulnerability. The flaw is concerning in that it allows attackers to exploit a bug in the Bash shell command line tool found in Unix-based systems, allowing them to gain control of your computer. Here to comment on the Bash bug are a number of information security experts. Top companies in the industry, including STEALTHbits Technologies, Lieberman Software, and Bit9 + Carbon Black, are represented.
Ben Johnson Chief Security Researcher, Bit9 + Carbon Black:
“The newly public BASH vulnerability is a very significant vulnerability. The tricky aspect of this bug is that it isn’t as clear-cut as Heartbleed. With Heartbleed, security professionals only needed to see what version of OpenSSL they had. They then patched their systems if necessary.
“With BASH, there may be DHCP servers, Web servers, and other network-accessible services that use BASH for part of their functionality. Tracking down which ones are actually using BASH and which ones aren’t might be beyond the ability of some system administrators and will certainly be a headache for all.
“Essentially every system should be patched immediately to prevent unauthorised access or unauthorised escalation from occurring against Linux systems. For example, if you attach your laptop to the network and request a dynamic IP address (DHCP), there could be a malicious DHCP server that is able to execute code on your machine simply because you are requesting access to the network. I strongly encourage everyone to patch their systems immediately.”
Chris Stoneff, Director of Professional Services, Lieberman Software:
“I see this as a failure in the mindset of the open source community where everyone waits for everyone else to do something or find something. One of the interesting things happening with so much bashing of closed source projects like Microsoft and the embrace of more open software like Linux and OSX is how much visibility the latter has gained in recent years to would-be attackers. It has shone a light on one of the biggest lies perpetrated on the public: just because we don’t use Microsoft doesn’t mean we’re invulnerable. Well, the proof is now here, and it’s time for Linux and OSX and UNIX to take some heat.
“What’s scary is this has been around for some time, and the first round of patches for Shellshock is not fixing the problems of unauthenticated scripts gaining privileged access to data and services. Given the nature of the patch and the wide variety of servers it affects – especially web servers – I expect we will see another round of highly publicized data theft and public shaming. Many home devices including cable boxes, routers, NAS devices, and of course enterprise and internet connected devices and services all make use of Linux/UNIX running a bash shell. It is not insignificant. Just as with Heart Bleed, users need to stay up on their vendors, credit card agencies and more to ensure that once the problem gets fixed, they change their passwords. If they don’t, every time they do something on those previously vulnerable websites, every time businesses or agencies put their data through those servers, users’ data will be put at risk.”
Jonathan Sander, Strategy & Research Officer, STEALTHbits Technologies:
“Heartbleed was dangerous because it struck a component that is a part of many people’s systems. By contrast, Shellshock strikes at a component that anyone running on Linux or Apple servers must have on their system. Bash is something that’s built upon by your system unless you take great pains to take it out. That means every Linux and Apple server is potentially vulnerable. That includes millions of embedded devices that are not likely to get attention any time soon. It’s going to be another race to the patches for administrators.”
Kyle Kennedy, CTO, STEALTHbits Technologies:
“Users of Linux software for many years have watched consumers react to reported security exploits in other operating systems wondering ‘if and when’ a major event might unfold for them. A number of those users woke up last week ‘shellshocked’ by the reported Bash bug security vulnerability, which is understandably also known as ‘shellshock.’ Bash is software widely used to control the command prompt on many Linux systems. Reports claim that hackers can exploit a bug in Bash and take complete control of a targeted system. Heartbleed was big, but Heartbleed just allowed a hacker to spy on computers, not take control of them. Using this vulnerability, an attacker can potentially take over the operating system and gain full access to the host system. This means an attacker not only controls the host but they have access to everything on that host. Sensitive information, confidential information, intellectual property, customer data, financial data…the list goes on, including the ability to make changes to the host. The method of exploiting this issue is quite simple. It doesn’t require sophisticated attack methodologies. In fact, cutting and pasting a line of code can provide a hacker / cyber-criminal very good results with minimal effort. Shellshock should shock every administrator into patching any and all systems that use Bash. Let the fun begin – again!”
Russell Horton, COO, Elitetele.com:
“Companies need to take immediate action to ensure they are not vulnerable to a newly reported software bug. The ‘Shellshock’ bug is a flaw effecting systems using a software component known as ‘Bash’. The term ‘Bash’ may be unfamiliar to many business owners; however, researchers have estimated up to 500 million systems are affected. These stark figures suggest the bug is far more wide-reaching than the infamous Heartbleed vulnerability. Rated 10/10 for severity, the bug may enable attackers to take control of vulnerable systems.
“Updating IT systems and staying up-to-date with the latest security should be a key part of every businesses IT strategy. This type of flaw is becoming an unfortunate reality, and to some extent these types of bugs are unavoidable. Steps can be taken and best practices followed to significantly reduce the risk. Our experience has shown many businesses neglect key systems leaving them vulnerable to attack. We would like to urge businesses to check with their hosting or IT service provider to ensure that they have acknowledged and are dealing with the threat.”
Professor Mike Jackson, Cyber Security Expert, Birmingham City University:
“There are two main families of basic computer software in the world; those which are Windows-based and those which are Unix-based. The Unix world has just been rocked by the news that a piece of fundamental software is flawed and has opened the gateway to hacking attacks. Even worse news is the fact that this flaw has existed for a decade! The flaw has been labelled ‘Shellshock’, and it is feared that it may be more damaging than the ‘Heartbleed’ bug which was discovered earlier in the year.
“Obviously everyone wants to know if they might be vulnerable to attack. If you are an Apple PC user then the immediate answer is ‘Yes’. Apple’s OS X operating system is Unix-based and therefore vulnerable. Window’s users should not, however, be complacent. Your PC might be safe, but what about the router you use for your broadband? This device likely uses Unix-based software and therefore may be at risk of attack.
“Even if we feel safe with the computers we own, what about those computers we use but don’t own? Every time we access a web site, we are effectively using someone else’s computer, i.e. we are opening ourselves up to their vulnerabilities. One of the major pieces of Web server software called Apache is Unix-based and known to be at risk from this software fault.
“Literally millions of websites could be vulnerable the Shellshock bug. The damage it could cause is as yet unknown. The only safe prediction is that given the number of computers which are at risk, it will take years before this vulnerability is completely eradicated.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.