One of the most recent bugs affecting businesses and individuals is Shellshock. With specialists in cyber security and information risk management providing warnings, guidance and expert advice on facing down the challenges, it is important to know what you are up against and how it could affect you.
Simply put, Shellshock is a nickname for the latest bug present in the Bash (an acronym for Bourne Again SHell) command-line interpreter, or shell. It is widely used in organisations throughout the world due to its use in many popular operating systems such as Unix, Linux and OS X.
Assumed by many to be the worst attack on the Bash shell ever, specialists and analysts are warning that no system supported by the operating system interpreter is safe from the risk of attack if connected to the web, particularly those that use unprotected networks.
Furthermore, the vulnerability has assumed several guises since its announcement, the first and worst being the original Shellshock bug – CVE-2014-6271. The full list of CVEs under the Shellshock umbrella at the time of writing is as follows:
• CVE-2014-6271 (the original)
• CVE-2014-7169 (patch to fix publicly disclosed issue)
Home users at risk
Though Shellshock is largely and primarily a threat to organisations running networked systems, many personal users might face issues. Also, a significant number of systems running Windows and Android could be at risk on personal devices, networked systems and devices, and on third-party networks.
The least vulnerable users appear to be those running Windows, with there so far being no supporting evidence that an exploitable vector to target the Windows platform exists.
What does Shellshock do?
Essentially, any attacker running the Shellshock bug is handed control of the victim’s computer. This means that they are able to request practically any command. The attacker’s level of system access will reflect that of the legitimate user (though this can be altered as skills allow).
The majority of Shellshock attacks seem to be focusing on HTTP web servers, though any system with a standard implementation of DHCP could also come under attack, along with:
• SSH systems – with restrictions (including git, rlogin and rsync)
• Common Unix Printing System (CUPS)
• Plug-ins – including browser plug-ins
How aggressive is Shellshock?
The major issue with the bug is its ease of exploitation – no additional skills, codes or tools are needed. As a result, it is likely that thousands or hundreds of thousands of online servers are already affected. Together, this combination makes Shellshock one of the biggest risks today.
What to do
In order to protect essential computer systems against the risks, cyber crime security teams are responding by introducing patches. However, some teams are advising that, in some instances, switching to a new shell may be the only viable option.
Acumin is an international Information Security and Information Risk Management recruitment specialist. The company works with a variety of markets comprising of End Users, IT Security Vendors, Systems Integrators and Consultancies.
Acumin provides a range of specialist services which include contingency Permanent Recruitment, Contract Recruitment and retained Executive Search. For SMB and Enterprise End User clients, Acumin facilitates the development of internal Information Security and Risk Management teams across the UK, Europe and United States.