What is the vulnerability?
There was a vulnerability announcement on September 24, 2014 of a bug (CVE-2014-6271) in the Bourne-again shell, bash, that is the default command line interpreter in most Linux and many Unix distributions, including variants that form the basis of many embedded devices and appliances. The bug allows for remote code injection that can cause arbitrary commands to be run on the attacked system. There are several avenues for making this happen, but the single most potent one is by attacking web servers that can run CGI commands.
This vulnerability was given the nickname of Shellshock.
Although a patch was available for the major Linux distributions at the time of the announcement, there was a huge spike in attack code aimed at probing for vulnerable servers within a day or two of the announcement. It was also discovered that the bug was bigger than originally thought, and that the original patch was incomplete. There are currently 5 additional CVE’s relating to bash: CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278. The last two reports are still pending patches, so there is less detail in the reports.
By the way, this bug is very old, dating back to the original 1993 code lines for bash.
What is affected?
Generally any version of Linux and many of the Unix distributions will be vulnerable. MacOS X has a vulnerable version of the shell, but very few Macs are running exposed services. Windows is not vulnerable to this bug. Many appliance builds, including a lot of security gear, is written on top of some kind of Unix or Linux distribution, and those may be vulnerable too.
How bad is it?
Very. Anything that allows relatively easy entry to run arbitrary code on your machines is something to be dealt with urgently. Even if you thought that Heartbleed was overhyped, rest assured that this is the real deal.
How will my systems be attacked
Attacks will be attempted against processes that can call out to a shell, but some are far more vulnerable than others.
The most potent vector is though web servers running the Common Gateway Interface (CGI) which allows the web server to execute commands. My manipulating the arguments passed to the webserver, an attacker can manipulate a vulnerable shell.
Many (but not all) Linux or Unix DHCP clients use a call to the shell to set the command interface. This allows a hostile DHCP server a vector for attack. This is a big risk against Linux and Unix workstations (but not Mac or Windows) attaching to public WiFi hotspots.
SSH (security remote shell) is a vector that requires authentication, so it is a much smaller attack surface.
There are additional attack vectors, but they are less likely, so we won’t detail them here.
What about IDS/IPS?
This attack has a very distinctive pattern. It is easily detected and stopped by the major intrusion detection or prevention systems, provided you keep your signatures up to date.
What should I do to protect my company?
- Apply whatever patches are currently available to any affected system.
- Make sure that signatures on all anti-malware, IDS, and IPS systems are kept up to date automatically.
- Pay attention to security advisories. There will be additional patches coming and you must apply them as they become available.
- Watch your logs for attempted penetrations.
- Remember that it’s not just about your “computer systems.” A whole lot of other devices in your data center run some kind of Unix or Linux under the hood. Check with your vendors to see what they are doing to address the issue. If the answer is “nothing” apply pressure.
Additional Reading
There are some good descriptions online, ZDNET, Krebs, and Naked Security are but a few examples. Bruce Schneier has a lot of good links on his blog.
Cloudflare has a very good field report on what they are seeing, which includes attacks against security devices.
UPDATED: to add reference to the Cloudflare report.