A security vulnerability in Bash, widely used Unix and Linux software, threatens large swaths of computers connected to the Internet and has security experts rushing to develop a comprehensive fix and companies scrambling to protect their systems.
Developed in the 1980s, Bash is a command processor that is used to send text commands to a system through various interfaces, including the SSH protocol. It is the default shell application for Unix, Linux and Mac OS X and is thus present on countless numbers of systems. Systems that run a Bash version through Bash 4.3, until patched, are at risk of being exploited by remote attackers.
How vulnerable are these systems? According to ZDNet's Larry Seltzer, Shellshock "is the worst [vulnerability] we've seen in many years." It's much more worrisome than the recent Heartbleed vulnerability that affected OpenSSL, he explains:
As information disclosure bugs go [Heartbleed] was a really bad one, but it was only an information disclosure bug and a difficult one to exploit. The sky's the limit on attacks with Shellshock and it's so easy to exploit that it's already being widely-exploited ...
Software architect Troy Hunt, a Microsoft MVP, provides a detailed technical look at the implications:
The potential is enormous — “getting shell” on a [machine] has always been a major win for an attacker because of the control it offers them over the target environment. Access to internal data, reconfiguration of environments, publication of their own malicious code etc. It’s almost limitless and it’s also readily automatable. There are many, many examples of exploits out there already that could easily be fired off against a large volume of machines.
Unfortunately when it comes to arbitrary code execution in a shell on up to half the websites on the internet, the potential is pretty broad. One of the obvious (and particularly nasty) ones is dumping internal files for public retrieval. Password files and configuration files with credentials are the obvious ones, but could conceivably extend to any other files on the system.
Likewise, the same approach could be applied to write files to the system. This is potentially the easiest website defacement vector we’ve ever seen, not to mention a very easy way of distributing malware.
Hunt's conclusion? "In all likelihood, we haven’t even begun [to] fathom the breadth of this vulnerability."
Bad News for the Internet of Things?
With that in mind, it's worth looking at the implications of Shellshock for the Internet of Things (IoT). As Hunt points out, "many IoT devices run embedded Linux distributions with Bash." These devices are all just as vulnerable as computers running Bash. The embedded Linux software on some — perhaps many — of these devices will not be actively maintained by their vendors, so even when a comprehensive patch for the Shellshock vulnerability becomes available, attackers will likely still have plenty of vulnerable devices to target.
While it's not the first security vulnerability that threatens the IoT to be identified, Shellshock highlights the downside to a world filled with connected devices: When major vulnerabilities are discovered in the software these devices run on, not only does the possibility of widespread damage that affects day-to-day activities greatly increase, so too does the complexity of rectifying the problem. This is something companies and vendors will need to ponder as the adoption of connected devices continues to explode.
What Happens Next?
Not surprisingly, there is evidence attackers are already working to exploit Shellshock. Initial patches for the vulnerability may not solve the problem. Even if a complete fix is available, millions of systems will surely go unpatched because, unlike consumer operating systems, which in most cases update themselves by default, Unix and Linux operating systems are typically not configured to automatically download and apply security patches. Potentially making matters worse is that some are expressing concern that certain vendors are not taking the Shellshock threat seriously enough.
So what can be done? Obviously, companies should identify vulnerable systems and apply patches as soon as they become available, even if they are not complete. Depending on their circumstances, they may also want to consider, as Hunt mentions, disabling CGI functionality and switching to a different shell, actions that could cause significant headaches and come at significant cost but currently represent the only way to eliminate the Shellshock threat.
In the meantime, the Internet should brace itself. This situation will almost certainly get worse before it gets better, and the fallout from Shellshock will likely be felt for years to come. With a renewed focus on the security of widely used software like Bash, it is also quite possible more vulnerabilities of Shellshock magnitude that have gone unnoticed for years will soon be discovered.