Bashbug/Shellshock: the day after

It’s been a day since the BashBug aka Shellshock bug was disclosed. What real damage has been inflicted and who is most in danger?

Other posts on BashBug/Shellshock:


A day has passed after yet another ghastly revelation of a new, or rather newly discovered bug in the Bourne again shell, present in almost all *nix-like systems, Mac OS X included. Just after the discovery there were a lot of arguments about whether or not it’s Heartbleed 2.0.

From how it looks, it is or could be even more dangerous. As Securelist stated, “it’s much easier for a cybercriminal to exploit than Heartbleed. Also, in the case of Heartbleed, a cybercriminal could only steal data from memory, hoping to find something interesting. By contrast, the bash vulnerability makes full system control much more possible. So it would seem to be more dangerous.”

The ease of the exploitation ensured the abundance of proof-of-concepts and working exploits. There are reports on a limited number of malicious attacks. Although the real damage is currently pretty vague, as early as hours after the disclosure hit the Web there were reports of someone using masscan to serve malware to the vulnerable servers.

Robert Graham from Errata Security reported the bug to be “wormable”, and the worm indeed didn’t take long to appear, with “thanks, Rob” in the comments in the code.

Efforts to spread malware using the bug appear to have some degree of success: Italian security researchers reported that the Shellshock/BashBug haave been busy building a botnet running on Linux servers, codenamed wopbot. The botnet is effectively building itself further, according to the researchers, using the bug to auto-infect other servers.

It’s also been busy distributing a denial of service attack against Akamai, and massively scanning the United States’ Department of Defense Internet Protocol address range on port 23 TCP or Telnet – according to our Italian colleagues, for brute force attack purposes.

Fortunately, the C&C server of the wopbot, located in UK, was taken down promptly. However, the “botmaster” server for wopbot is in the US and it’s still up and serving malware.

It’s yet unknown how many servers have been infected already, but there are possibly millions of Apache webservers around the world that could be at risk, if their CGI scripts invoke Bash.

This is not limited to webservers.

The worst problem is the one that cannot be fixed. In the case of Bashbug/Shellshock it’s related to multiple internet-of-things devices with their firmware fixed in place, without any possibility to upgrade or patch it. Some of them use Bash, and are thus vulnerable, and can be used for malicious purposes.

There is also a problem with networked embedded devices that use CGI scripts – for example routers (home ones included, according to a Microsoft MVP, security expert Troy Hunt), home appliances and wireless access points. They are also vulnerable and, in many cases, difficult – if not impossible – to patch. And even if it is possible, routers, both those used at home and in businesses, are the sort of hardware that don’t get upgraded often.

With the weekend ahead, it is a good time to review the status of the networked and embedded devices within your networks, for security sake – i.e. to avoid serious and hard-to-solve problems in the future.

Other posts on BashBug/Shellshock: