Shellshock isn’t a bug or virus, but rather a code vulnerability, and experts say it’s at least as bad as Heartbleed. The Shellshock vulnerability is found in system software called Bash, which is used by millions of computers. Bash is an interpreter that allows a coder to orchestrate commands on Unix and Linux systems. Windows machines and servers don’t run Bash, but that’s small comfort considering how dangerous and widespread this vulnerability can be.
Does your IT service management team need to go into panic mode and devote all its resources to assessing vulnerability and dealing with Shellshock? No, but those in organizations with the potential to be directly affected need to follow the news of this problem and be ready to act if necessary.
The Shellshock vulnerability is a big one. Luckily patches are available and monitoring is ongoing.
Why Is Shellshock So Bad?
Bash is sometimes used as a parser for CGI scripts, which are often executed on Apache, which is the world’s most common type of web server. Around half of web servers run Apache and may have some version of Bash, and most Bash versions are vulnerable. Other web servers may or may not have Bash installed. Bash lets users conveniently define functions in order to pass text to other systems and processes.
The problem is, when certain characters are included as the function definition, any code inserted after that definition is processed. Attackers could, therefore, insert code after those function definition characters and cause Bash to execute the commands. An attacker could publish malicious code, access internal data, or reconfigure environments. Shellshock could be turned into a worm, launching itself onto other targets, which further launch to other targets ad infinitum.
Experts Keep Finding More Vulnerabilities
On multiple occasions since the Shellshock vulnerability was identified, experts have found new systems that could be vulnerable, and new ways Shellshock could be maliciously exploited. For example, VPN servers based on Open VPN are believed to be vulnerable to attack due to “configuration options that can call custom commands during different stages of the tunnel session,” according to Fredrik Stromberg, of commercial VPN service Mullvad.
Oracle confirmed that many of its products are affected, as did Cisco, which provided software updates to its customers who were running products with vulnerable Bash versions. But as new vulnerabilities are discovered, organizations could implement a patch and think they’ve solved the problem when they really haven’t.
And attackers have started trying to exploit the Shellshock vulnerability, according to the SANS Institute Internet Storm Center. That organization’s web servers have already been subject to multiple exploitation attempts based on the vulnerability. Attackers appear to be scanning for CGI scripts in hopes of finding vulnerable systems.
What to Do About It
A number of patches have already been released to address the Shellshock vulnerability, but new problems have been discovered, so if you happen to have already installed a patch, you could still be vulnerable. Fixing Shellshock is less straightforward than patching OpenSSL was in fixing Heartbleed. That’s because with Shellshock, embedded systems like printers or routers could be using Bash, and who knows when vendors will issue patches for those systems? Fortunately, newer embedded systems operating on Linux are less likely to use Bash.
One way to keep up with the latest on the Shellshock vulnerability and how to patch it is to bookmark Shellshocker.net, which is an online clearinghouse about the problem and includes vulnerability tests and the latest patches. It’s worth monitoring for two reasons. One, Bash is installed on a huge number of machines including servers, desktops, routers, and even non-computer devices that increasingly make up the internet of things. Two, it’s not yet clear how many ways Shellshock might be exploited, and new exploits continue to be discovered.
For most organizations, dealing with Shellshock doesn’t mean dropping everything else and devoting all resources to it. But it may be worthwhile to assign someone from your IT service management team to monitor the latest exploits that are being discovered and to follow the news on Shellshock to learn whether any of your systems are affected.
When your IT service desk is powered by Samanage, your team has access to the latest tools for not only handling service tickets, but also performing all necessary IT asset management tasks, and monitoring those assets for risks like unauthorized software downloads. Samanage keeps your IT service management team nimble and efficient, so when threats like Shellshock arise, you can be confident of continued great operation of the IT service desk even if some resources are temporarily diverted elsewhere.
About Tye Graham
Read more articles by Tye