As if we all did not have enough to worry about these days, the blogosphere lit up with the news that a newly discovered bug in the widely used piece of Linux software known as “Bash” could pose a bigger threat to computers than the last bad boy Heartbleed.
In case you have not yet clicked on one of the slew of articles about this, here is a quick recap.
First, Bash is a shell, or command prompt software that comes courtesy of the not-for-profit Free Software Foundation. Hence, the name “Shellshocked” is an appropriate name for this bug. As the world goes more and more toward open source, to leverage the communal wisdom instead of relying on vendor proprietary approaches, software like Bash has become widely used and its proliferation is on the rise for “E”verything.
Second, you need to know that after the revelation of the potential threat, The Department of Homeland Security’s United States Computer Emergency Readiness Team, or US-CERT, issued an alert saying the vulnerability affected Unix-based operating systems including Linux and Apple’s (News - Alert) Mac OS X. The truly nefarious thing about Shellshock is that while Heartbleed just let those with malicious intent spy on us, this one allows them to literally take control of an operating system, access all kinds of information, and even make changes to further compromise a target.
But wait, there is more. The dirty work is not complicated. In fact, unfortunately it is just a matter of cutting and pasting a little bit of code. The vulnerability is caused due to an error when parsing shell function definitions passed via environment variables and can be exploited to e.g. execute arbitrary shell commands via a specially crafted environment variable value passed to a CGI (News - Alert) script via certain HTTP headers.
And, as security professionals have pointed out it is ”wormable,” i.e., it can easily get past firewalls and infect lots of systems. This is why on a scale of 1-10 the pros give it a 10, and say get the patches being made available ASAP. They unfortunately are also saying that the GNU, the Open Source (News - Alert) project that has developed Bash, patch that has been issued has proved ineffective. Thus, an official patch as this is written does not exist which means IT security pros need to be on alert for the patches as they emerge and are tested as to their effectiveness.
It should also be noted that thus far there are very few indications that this exploit is being widely used in the wild. However, this is another one of those instances where we will have to wait and see given how long it can take to discover which systems may or may not have been already compromised.
The security professionals weigh in
As has been my practice when these things happen, my inbox fills with reactions from the security industry professionals, and there are just a few of my favorites, which while depressing for obvious reasons, are certainly food for thought.
Alan Dundas, vice president and product architect for Authentify:
Unfortunately, the Linux bash shell is everywhere. I suspect that many of the Internet of Things, or Internet of Everything, devices that have been distributed have Linux roots. How will the small CPU in your thermostat prevent malware introduced via a Bash flaw from sniffing around whatever else is connected to it? It probably wasn’t designed to have that capability. Therein lies the fatal error of connecting lots of simple items into a complex network without thoroughly evaluating what could go wrong. What if this semi-smart device simply opens the door for malware? TiVo (News - Alert) has embedded Linux and therefore Bash. Everyone who connects to TiVo from their PC or other smart device is suddenly at risk. Does this mean TiVo has been hacked? No it doesn’t. Does it mean, much like after Heartbleed announcements, that an army of hackers have read the news and are starting their R&D? We can’t discount that possibility. This is potentially worse than Heartbleed because many things Linux is embedded in were never intended to be patched.”
Jason Hart, vice president, Cloud Solutions, SafeNet.
"The vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the Bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents.
Given the interconnectedness of everything, it’s nearly impossible to ensure all devices and systems are without security flaws and to defend what is now a very porous perimeter. That is why we have entered the zero trust era of security, which means that it is more important than ever for companies to place security directly on the data itself with encryption and multi-factor authentication.”
Chris Stoneff, Director of Professional Services, Lieberman Software,
“I see this as a failure in the mindset of the open source community where everyone waits for everyone else to do something or find something. One of the interesting things happening with so much bashing of closed source projects like Microsoft (News - Alert) and the embrace of more open software like Linux and OSX is how much visibility Linux and OSX have gained in recent years to would be attackers. It has shone a light on one of the biggest lies perpetrated on people: we are not vulnerable because we don’t use Microsoft. Well, the proof is now here and it’s time for Linux and OSX and UNIX to take some heat.
What’s scary is this has been around for some time and the first round of patches for Shellshock are not fixing the problems of unauthenticated scripts gaining privileged access to data and services. Given the nature of the patch and the wide variety of servers it affects – especially web servers – I expect we will see another round of highly publicized data theft and public shaming. Many home devices including cable boxes, routers, NAS devices, and of course enterprise and internet connected devices and services all make use of Linux/UNIX running a bash shell. It is not insignificant. Just as with Heart Bleed, users need to stay up on their vendors, credit card agencies and more to ensure that once the problem gets fixed and once it is those user’s need to change their passwords. If they don’t every time they do something on those websites or the businesses or agencies put the user’s data through those servers, they are putting the people at risk.”
Kyle Kennedy, CTO, STEALTHbits Technologies.:
“…Shellshock should shock every administrator this morning to be motivated without the need for coffee to start deploying the patch immediately to any system using Bash. Let the fun begin – again!”
The common thread from all of the experts I have interacted with on Shellshock is the chilling effect it could have on the Internet of Things (IoT) because so many of the devices have Linux roots, and were not designed from the ground up with security as a critical element. It is the reason I led with the Dundas observations since the questions posed are important ones to get answered.
Where we go from here is problematic. The patches will come. Temporary protection will be available. And, hopefully while not a false alarm, at least the sounding of the alarm will be enough to encourage massive adoption of protective measures for existing systems and cause the bad guys to look elsewhere for easier vectors of vulnerability. That said, however, how we get from here to a secure IoT world really is something not just the open source people but everyone looking to profit from the space needs to not just increase their attention on, but articulate how trust can be created in an increasingly un-trustable connected world.
Kyle Kennedy was facetious in saying the fun can begin again. This is not going to be fun, and there is a lot of hard work, innovation and education ahead. After all, unfortunately we do not live in a static world and the bad guys are very good and very creative when it comes to being very bad. We all should have our fingers crossed that we caught this one early.