SHELLSHOCK. Bish BASH Bosh
Technically known as ‘CVE-2014-6271’, it’s already got a catchy name – “ShellShock”, so you know it must be serious.
And it really is. If you’re running a vulnerable server it can be trivially easy to exploit remotely, on a level with Heartbleed certainly.
Whilst the underlying issue is with the BASH command line (a local tool), of particular concern here is the mod_cgi Apache module that’s found running on a lot of legacy web servers and can directly interact with BASH. Whilst things like Python are much more popular these days, CGI scripts can still be found setup on a lot of boxes connected to the public internet (and even more so on legacy corporate networks).
Because CGI can invoke BASH directly, it’s possible that an internet based attacker can simply drive by, find a vulnerable CGI script on a long forgotten page, pass the wrong parameters and get a shell on your box in seconds. See http://pastebin.comraw.php?i=166f8Rjx if you don’t believe us!
It doesn’t take too much imagination to see how this one could go ‘wormable’ very quickly (something Heartbleed was never really capable of) – infected servers scanning out for and compromising others. So there’s a real risk of new botnets being setup on high bandwidth servers and causing more serious problems for the internet in general over the next few weeks – something to bear in mind.
The good news is that patches for BASH are available for all the major distributions – seriously, just stop reading this and get them deployed.
If patching is difficult for whatever reason, network level IPS is a good second option, although Vendor protection for this is quite weak. We’ve seen Cisco push IPS updates very quickly (makes you wonder what they knew that the others didn’t) and we expect Checkpoint, Palo Alto et al to follow suit promptly.
For more detailed technical information on ShellShock, we recommend checking out the following pages:
Finally, our NetSure360° managed security service is already offering alerting and protection against this attack for our managed service customers. If you would like to find out more about this service, or would like our help in protecting your organisation against ‘ShellShock’ then don’t hesitate to get in touch by emailing [email protected] or call 020 7517 3900.