A View from Cesar Cerrudo
Why the Shellshock Bug Is Worse than Heartbleed
We still don’t know how many systems are vulnerable to the Shellshock bug, but it is likely in the millions.
Last Wednesday a serious software vulnerability called Shellshock was reported; the bug could be exploited to compromise millions of servers and other devices worldwide. We still don’t know how wide and costly the problem will be, but we already know that Shellshock is more serious than the Heartbleed vulnerability that received wide attention back in April.
Heartbleed affected software used by servers to encrypt and secure communications. The flaw allowed attackers to get sensitive information such as encryption keys or passwords from vulnerable servers that could be used to secretly access the system later, for example to steal personal data.
Shellshock allows an attacker much more power. They can use it to take complete control of a system even without having a username and password. Exploitation of the vulnerability is simple and doesn’t require advanced skills.
Because an attacker can use Shellshock to remotely execute any code on a system, it could be used to create a self-replicating “worm.” It would use one compromised system to attack other systems, and so on, propagating over the network and compromising hundreds or thousands of system in little time.
The Shellshock vulnerability was found in a software package called Bash, a command line interpreter, or shell, that provides a powerful, flexible way to run commands on a computer. It is the default for all Linux-based operating systems and Apple’s Mac OS X. Bash is also widely used on simple Internet connected devices, many of which run versions of Linux, meaning that not only servers could be compromised but also some home routers, IP cameras, etc.
Some popular networking devices widely used by corporations have already been identified as vulnerable. Mobile devices are not at risk, unless you have modified your Apple or Android device to gain more control over its software.
Shellshock is dangerous because while Bash is not directly exposed to the Internet, some software that is can make use of Bash internally. For example, the “DHCP” software that negotiates your connection to a Wi-Fi network can pass along commands to Bash. This means that someone with a vulnerable operating system (mostly Linux) could be attacked when connecting to an untrusted Wi-Fi. (It’s worth noting that connecting to untrusted Wi-Fi networks is always a risk.)
Within a day of Shellshock being reported, there was evidence that it was being used to stage attacks “in the wild.” Information security departments at all companies and organizations should take preventive actions such as applying security fixes and close monitoring of internal networks. The United States Computer Emergency Readiness Team has issued an alert, and along with other security organizations worldwide is recommending users and system administrators apply security fixes as soon as possible.
However, it’s still too early to come up with an exhaustive list of affected devices that need updating. And although researchers and device vendors are publishing details about which devices are vulnerable and which aren’t, for some devices in use, no one will be checking because they are no longer supported, or documentation is lacking.
The faster systems are identified and patched, the lower the number of security compromises—and financial losses—that will be caused by Shellshock. It’s possible the economic effects of this bug will be severe because one compromised system can affect a lot of people. For instance, a compromised e-commerce site could not only cause lost sales due to downtime needed to patch, but also expose millions of credit card details, inconveniencing consumers.
Cesar Cerrudo is the chief technology officer at the computer security company IOActive Labs.