Digital forensics and cyber incident response vendor, AccessData (www.accessdata.com), has commented on the discovery of the Shell Shock vulnerability that makes UNIX OS servers and connected Linux OS and Mac OS devices vulnerable to being taken over by hackers exploiting the GNU Bourne again Shell (Bash), which is commonly accessed via the command line prompt.
Open source software company, Red Hat, has alerted the information security community of a newly identified security bug that allows malicious code to be executed on any device that runs on the UNIX operating system and has lines of code added inside the Bash Shell. Dubbed Shell Shock, the bug has been given a severity rating of 10 because it allows an attacker to totally compromise the affected server or device and requires a very low level of skill to launch an attack.
Writing on the Red Hat Bugzilla forum, Red Hat warns, “A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.”
Industry experts have warned that the bug is potentially more serious than the Heartbleed Open SSL bug and could impact the security of 500 million Unix OS based devices, including security cameras, manufacturing and medical equipment.
Some, incomplete, patches have been released by Ubuntu and other Linux distributors to reduce the vulnerability, which has been present in the Unix operating system for more than twenty years. Lucas Zaichkowsky, enterprise defence architect at digital forensics and incident response specialist, AccessData (www.accessdata.com), comments:
“Attackers are already exploiting this vulnerability, so no time should be wasted. Similar to Heartbleed, there are many software packages including server software that rely on commands and scripts and use the Bourne-again shell (Bash) by default. For anyone wondering how serious this is compared to Heartbleed, note that the NIST Common Vulnerability Scoring System rated Heartbleed at a base score of 5. The bash vulnerability was rated at the maximum score of 10.
Companies should immediately scan everything exposed to the internet for this vulnerability, then apply mitigating controls and available patches. After that, they should waste no time scanning internal systems for vulnerable software. It’s trivial for attackers to gain entry to an internal system at which point vulnerable internal systems could be exploited. They should also set up network intrusion detection systems to detect attacks and enable logging that would allow them to record exploitation. That will allow them to know if they’ve already been attacked.
Long term, companies should be aware of breaches happening to other organisations. The fact that this vulnerability has been around for so many years in such a common software package with source code open for anyone to review should act as a wakeup call to the fact that there are still undiscovered, or even worse, undisclosed software vulnerabilities everywhere. Determined attackers will always find ways to breach systems. Organisations must invest security resources into detecting and responding to attackers as they break into their network and snoop around,” says Zaichkowsky.